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Typographic Conventions 


This document uses these typographic conventions. 


e [he names of windows, views, tabs, dialog boxes, panes, panels, buttons, fields, options, 
checkboxes, and the like are in Initial Caps, or otherwise capitalized according to their 
labels. 

e Keystrokes are shown in all capital letters, such as TAB, CTRL, OPT, CMD, SPACEBAR. 
Keys pressed at the same time are joined with +, such as CTRL+S, OPT+T. 

e [he names of elements that you are directed to interact with by clicking, selecting, or typing 
are shown in bold. 

e Immediately contiguous menu actions such as clicking a toolbar button or menu, then 
immediately clicking another item in a resulting submenu, are separated with the » symbol, 
such as 


Edit » Copy 
Preferences » Data Collection 


e File names, folder names, file paths, disk names, drive names, volume names, partition names, 
and the like are shown in italic. File extensions such as .pdf, .docx., .jpg, and so forth are not 
shown in italic. 

e Variables are enclosed with «angle brackets», such as «PLATFORM» VOLUMES, where 
«PLATFORM? is either MACOS or WINDOWS. 

e Anything you are directed to type exactly, such as file names, commands, 
or code, are shown in a console font. 


If you find any typos, inaccuracies, or other problems in this documentation, please send an 
email to support(dcellebrite.com. Please include the title of the document, the version of the 
document, and the title of the topic in your message. 
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Document Revision History 


This user guide addresses only the most recent version of Inspector. 


This topic identifies information that is new, removed, or changed within this document in this 
version of Inspector. 


Inspector Version 10.4 


This topic is new. Document Revision History 


Moved this topic from the Preface to the | Intended Audience 
Introduction. 


This chapter is new. What's New in Version 10.4 


Improved information about ensuring Inspector Preferences or Options: In the Report Tab 
email previews is available in reports. section, revised the last sentence and its note. 

e Email: Added sentence before numbered steps. 
e Tagging Evidence: Added the section titled Tagging Email. 
e Generating and Exporting the Examiner Report: Added 


paragraph about including email previews in reports. 


Added information to setting maximum  ! Inspector Preferences or Options: In the Options Tab section, 
number of processors Inspector should | added the last two sentences to the first paragraph under 
utilize. Processing Options. 


Deleted this topic: Creating and Opening | The information is now in two distinct topics. 


a Case e Create a New Case 
e Open a Case 
sts? " 
«t Cellebrite 


Version 10.4 What's New in Version 10.4 


What's New in Version 10.4 


This chapter presents information about features that are new or changed in version 10.4 of 
Inspector. 


e Classification 
o Define Classifications 
Classify Items 
See Classified Items 
Filter by Classification 
Remove Classifications from Items 
Apply and Remove Classifications with Tags 
o Classifications in Portable Cases 
e Activity Correlation 
e Expanded Support for Dictionary Attacks 
e Categorize Internet Domains 
e Usability Improvements 
o Improved Support for macOS Big Sur 
o Imaging and Evidence Ingestion 
- Image Attached Drives 
- Ingest Backups from Within Images 
- Ingest .UFD Files 
- Windows Search Index and Metadata 
Indexing Performance 
Hex View Highlight 
Support for License Management 
Censored Pictures and Videos 


Filtering 


O O O O 0 


oO O O 0 O 
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Classification 


The new classification feature provides another facet for identifying evidence items and 
managing how they are seen in portable cases and reports. The first three classifications, 


Privileged, Sensitive, and Relevant, cannot be edited. You can define the remaining seven 
classifications as necessary. 


Define Classifications 


1. Open or create a case file and then click Manage > Classifications. 
The Classifications dialog box appears. 

2. Select any classification other than Privileged, Sensitive, or Relevant. 

3. Forthe selected classification, click in the Description column. 


© Classifications 


Click on a row to select it and then click on the description to edit it. 
Descriptions in italics are predefined and may not be changed. 


The item count represents the number of items that are assigned to 
the classification. 


Description Item Count 
Privileged 4 
Sensitive 4 
Relevant — — 3 
Technical Publications 18 
Classification #5 0 
Classification #6 0 
Classification #7 0 
Classification *8 0 
Classification #9 0 
Classification #10 0 


Close 


4. Type the appropriate name for this classification and then press ENTER. 


Classify Items 


You can classify evidence items in all views individually or with several items selected at once. 
You can apply more than one classification. 


e Select the item, click Classifications > Classify Files As, and then select the appropriate 
classification. 


e Select the item, open the context menu, click Classifications > Classify Files As, and then 
select the appropriate classification. 
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See Classified Items 


The Classification column is available in all views as the last column. You can sort this column. 


- a x 
Size Extension Content Extension Locked MDs ~ 1D Classifications 
166540 
166604 Technical Publications 
166614 Privileged, Technical Publications 
166619 Relevant, Technical Publications. 
166607 Sensitive, Technical Publications. 
166613 Technical Publications 
166606 Privileged, Relevant, Technical Publications| 
166612 Technical Publications 
166611 Technical Publications 
166617 Technical Publications 
- 166618 Technical Publications 
60KB CC5D05361CD210BA.. 166605 Technical Publications 
-— nfd 166630 
Preview Metadata Location % Record ES gms En 


Type Value (Little Endian) 


Multiple classifications are separated by commas and the order is always the same as the list of 
classifications. 


Filter by Classification 


Classification is available in the File Filter view and when filtering within specific views. 


Saved Filters: v 


+ condition || + (group) | 


CI Invert Fitter — [ ]lgnore Folders and Duplicate Files | Reset. | | SaveThisFilter | Filter 


Content Extension Path Directory Locked Hidden Cate... MDS Entropy Classifications 
/Users/josh.. Yes No No Technical Publications 
/Users/josh.. No No No CC5D05361CD2108A084C41506D7EBC... Technical Publications 
[Users/josh.. Yes No No Privileged, Relevant, Techni.. 
[Users/josh.. Yes No No Sensitive, Technical Publica... 
PLIST /Users/josh... No No No £83174B696BA77F26B46E19E9DDOF751 Sensitive, Technical Publica... 
PLIST /Users/josh.. No No No 0078009BEA29947D27EEBESEFSBBSD96 Sensitive, Technical Publica... 
PLIST /Users/josh.. No No No 0078009BEA29947D27EE8ESEF88B8D96 Sensitive, Technical Publica... 
/Users/josh.. Ves No No Technical Publications 
fUsers/josh.. Yes No No Technical Publications. 
JUsers/josh.. Yes No No Technical Publications 
/Users/josh.. Yes No No Privileged, Technical Public... 
PLIST /Users/josh.. No No No 586FA27A6CB9D 18BA4EBBFS2A8C065... Privileged, Technical Public... 
PLIST /Users/josh.. No No No 54681F47E661EFD3086F36EDE3F82905, Privileged, Technical Public... 


ZiHex Strings Preview Metadata — 9 Location s Record , Data Interpreter 


Remove Classifications from Items 


You can remove all or any single classification from items. 


e Select the item, click Classifications » Remove Classification from Files, and then select 
either the appropriate classification or select All. 

e Select the item, open the context menu, click Classifications > Remove Classification from 
Files, and then select either the appropriate classification or select ALL. 
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Apply and Remove Classifications with Tags 


You can use tags as a means to apply classifications to items and remove classifications from 
items. 


1. Under TAGS in the Component list, click the appropriate tag. 

2. Toapply a classification to all items with this tag, open the context menu, click Classify 
Tagged Items As, and then click the appropriate tag. 

3. To remove a classification from all items with this tag, open the context menu, click Remove 
Classification from Tagged Items, and then click the appropriate tag or click All. 


Classifications in Portable Cases 


When you create a portable case, you can limit extracted data with classifications. If you select 
any classifications, only data with the selected classifications appears in the portable case, as 
well as data with no classifications. Data with different (not selected) classifications does not 
appear in the portable case. 


Tech Pubsinspector (Z) = ag x 


File Edit Action Tags Classifications View Manage Window Help 


Select items to be included in the Portable Case: 


€ activity Export Files. Search Export Files. 


ts [Z Limit Extracted Data to date range: 


[Enaz A] o [6 32021 


Include Portable Case Reader for: [v] Windows — [7] Mac Exporting data from all evidence items Generate Portable Case 


< > 
20210801.052534-bbb5388 


For example, consider a case using the three pre-defined classifications, Privileged, Sensitive, 
and Relevant. Some data is only classified once, some twice, and some with all three 
classifications. When you create a portable case, you choose to include only data classified as 
Sensitive and Relevant; you do not select Privileged. In the portable case, this is the result. 


e Data classified only as Privileged does not appear. 

e Data classified as either or both Sensitive and Relevant does appear. 

e Data classified as Privileged and also either Sensitive or Relevant does appear. 
l 


e Data classified with all three classifications does appear. 
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Activity Correlation 


In the Actionable Intel view, activity correlation now supports images from Mac computers. The 
Correlation view also now supports filtering, and in particular lets you filter on date and time. 
This provides a time-based view that shows how an artifact came to be and how it is related to 
other artifacts. For more information, see Filtering. 


These usability enhancements were made to the Correlation view. 


e Splitters have been added to let you change the size of all the panes. 

e When an item in the middle pane has very long text in a column, you can now hover your 
mouse pointer over that text to see all of it, rather than scrolling and resizing columns. 

e These filters have been added: Owner, Event Type, Description, and Artifact Count. 


Expanded Support for Dictionary Attacks 


Inspector has expanded support for creating custom dictionary files with password candidates 
for use in investigations. This support is in the form of an exported .TXT file with one word on 
each line, without duplicates. This .TXT file provides key material for use by third-party software, 
such as Passware Kit Forensic. 


For both Windows and Mac images, you can extract the index. 
Note: This process can take some time to complete. 


Run indexing in Inspector for the appropriate volumes. 

When indexing is complete, select the volumes to export. 

Click Action » Export » Export Password Key List. 

Specify the destination and filename for the exported .txt file. 

To see progress, in the Component list click Export / Imaging Status under Activity. 


Css xs 


Clear List 


For the password export in progress, you can see the destination you specified, the duration 
of the export, and the status. 
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6. During export, you can pause or delete the action. 


e To pause an export in progress, click Exporting and then click Pause. 
To resume a paused export, click Paused and then click Resume. 
e lodelete the export in progress, click Exporting and then click Delete Item. 


When the export is complete, the status becomes Finished. 


You can find the exported .TXT file in the destination you specified. This is an example. 


I) PasswordKeyListtxt - Notepad -= oO x 
File Edit Format View Help 

fp /m68z jaG8LPkw3IdN3GkMol3c= ^ 
ZGntA(/iL3h9 

novass 


lers2212 
DehCuxd*tl 
temporal60355 
spuk9136 

10H45: DquW3q3L8R 
3Eugnj4nüYsgPn 
1969BossMustang 


Note: It may take some time to open the .TXT file if it is very large. 


For images ingested from Mac OSX 10.x through Mojave 10.14.3 and from iOS 9.x through 12.x, 
Inspector can also export password hashes, custom dictionary entries, and keychain files. 
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Internet Domain Categories 


Internet domains are now automatically categorized according to a list created by Cellebrite. 
Accordingly, Internet Category is a new filter option for the Internet views. 


Classifications 

Date Last Visited P 
Title Ms 
Visit Count » 


W Bookmarks Q Cache * Cookies. & Downloads. BB Form Data @ History Q Last Session Q Rece Date Visited Sites 4 
— Visited From 
Visit Type 
Browser ^ URL Visit Duration 
Browser Apply [s 
User Profile. 
Chrome http:/[www.sans.org/reading-room/whitepapers/awareness/data-leakage-threats-mitigation-1931 B " 


Chrome http:/www.sans.org/reading-room/whitepapers/awareness/data-leakage-thrests-mitigation 1931 


Chrome htt:/torensicewik.org/wit/Anti-forensic, techniques Computers Electronics and Tech. Bj 


0000% 


Chrome http://www forensicswiki.org/wiki/Tools:Data Recovery 


The list of categories is determined by the nature of the domains for internet artifacts ingested 
for the entire case. It can include a wide variety of categories in broad areas such as arts and 
entertainment, business and consumer, computers, electronics and technology, hobbies and 
leisure, and many more. 


Internet domains that include sites with risk for malware and cryptocurrency, for example, 
appear in categories like these. 


e "Computers Electronics and Technology/Computer Security" for Bitcoin and malware 
e "Finance/Finance" for Dogecoin 
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Usability Improvements 


Improvements and usability enhancements were made in these areas. 


e Improved Support for macOS Big Sur 
e Imaging and Evidence Ingestion 

e Indexing Performance 

e Hex View Highlight 

e Support for License Management 

e Censored Pictures and Videos 


e Filtering 


Improved Support for macOS Big Sur 


For macOS 11 Big Sur, system partitions can now be ingested and parsed. Spotlight, Bluetooth, 
and Wi-Fi are also now supported. 


Imaging and Evidence Ingestion 

There are several enhancements for imaging and evidence ingestion. 

Image Attached Drives 

Inspector can now acquire full disk or logical images of attached drives. These attached drives 


must be write-blocked either with software- or hardware-based write blockers. With the drive 
connected, click Action » Disk Imaging. 


@ Image Device x 
| Image Type: 
L OS (NTFS) (1.8 TB) CEE] v|Mmps []sHAi SHA256 
a Bl Dik 
a Segment Size: 
LL Local Disk i 
No Segments M 
Destination(s): 
[|] Automatically Add to Case File (Triage Mode) 
Examiner Name 
Case Numb: 
Evidence Numb 
Descript tion 
Note 
Refresh Exit Start 


The Image Device dialog box shows only the options appropriate for the selected image type. To 
save time when triaging, you can use the Automatically Add to Case File (Triage Mode) checkbox 
to set whether to ingest after imaging. You can see information about ingestion and processing 
when you select Export / Imaging Status under Activity in the Component list. 
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Ingest Backups from Within Images 


Inspector can now directly ingest device backups from within images, rather than exporting and 
ingesting the backup into the case file. This improves efficiency and reduces the size of case 
files. These file types may be imported from Actionable Intel » Insights » Device Backups. 


e .E01 

e iPhone backups 

e plain files and directories 
e raw disk images 

e some specific .dmg types 
e Zip 

e tar 


If .zip or .tar files are imported and Process Archives is selected, they appear as an evidence 
source with all the contents of the archive in the file browser for that evidence source. 


Ingest .UFD Files 


On the Add Evidence window, you can now select .UFD files (not .UFDX files) from any collection 
and the corresponding compressed evidence files are automatically selected and ingested. The 
collection must be in its original unaltered folder structure. If you prefer, you can still manually 
select compressed files instead, such as .TAR, .ZIP, and .DAR. 


Windows Search Index and Metadata 


On the Add Evidence window, when you select Actionable Intel for the Extract Data processing 
option, data is automatically parsed from the Windows search index and file metadata is added 
to the associated files after processing. You can see the result on the new Windows Index view in 
System view, where keys and values appear for each selected item type. If Windows metadata is 
available for a selected file, you can see it in the Windows Metadata section in the Metadata view. 


M? Registry 


Q, Spotlight X Applications — B System Logs 


LÀ 


Item Type Path 

File folder. /SWINDOWS.~BT/Sources/Windows10.0-KB4517388-x64/zh-tw 

@ File folder /SWINDOWS.~BT/Sources/Windows10.0-KB4517388-x64/zh-cn 
File folder /SWINDOWS. ~81/Sources/Windows10,0-KB4517388-x64 

D File folder /SWINDOWS.~8T/Sources/Windows10.0-KB4517388-x64/uk-ua 

File folder /SWINDOWS.~BT/Sources/Wincows10.0-KB4517388-x64/tr-tr 


11-System FileName zh-tw 
D 14P-System FileAttributes 8208 
B 15F-System _DateModified 2019-11-05 10:44:27.3405752-07:00 


SiHex Æ Strings [Preview {Metadata © Location s Record 
Field Value 
BBTID: 87808 

FileSystemID: 8164 [ 

Name: Windows edb 

Path: /PronramNata/Micrncoft/Seareh/Data/Annlicatione Windows Mi 
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Indexing Performance 


Inspector now uses SQLite instead of Elastic Search for Index searching. Within Inspector, the 
Help topic for the Query Name field in Index Search has been updated accordingly. For more 
information, see this page: https://sqlite.org/fts5.html#full_text_query syntax. 


Indexing now runs faster than before, and Inspector is more responsive now during indexing. 
Indexing still takes longer to complete than other processing options. Run the index process only 
when it is necessary, and with the expectation that it will take time to complete. 


Hex View Highlight 


For certain item types in the Insights view under Actionable Intel, when you select part of a file's 
content in the lower portion of the Content pane, the corresponding content is also highlighted in 
Hex view. It also appears in the related Data Interpreter view as a String. 


Q, Insights Q, Correlation 
S GB Fle Knowiedge (1434 ^| @ arvai Time « |B Time parem 
© 2080618 154626 U. 
@ 2020621180151 U. Microsoft Messaging _Awekyb3däbbwe!x27e26t40ye031y48a6yb130y11f20388991ax 
as @ 2080621181704 (U. Microsoft Messaging Bwekyb3dBbbwelx27e26f40ye031y48a6yb130yd1f20388991ax 
1 A Passwords (284) @ 2018-06-21 18:1704 U.. Micros ging Swekyb3d8bbwelx27e26t40ye031y48a6yb130yd1f203BB99 ax E 
E: a d @ 2018-07-11 172740 (U. Microsoft. MicroscftOfficeHub Bwekyb3d&bbwelMicroscft MicroscftOfficeHub. semen) 
£68 Program Execution (7,022) 5 . 
CRI DS CSI 4) 2019-11-05 164251 (U. 2019-11-08 164251 (U~. Microsoft Office OneNote Bwekyb3d8bbwelmicrosoftonenoteim appimmersi 
lump iss à) @ 2019-11-05 1653030. 2019-11-08 165303 (UL. WindowsSystemiToastLowDisk appidesktop 
£3 Last Executed (1) @ 2019-11-05 1702:11 U. Microsoft XboxApp Swekyb3dBbbwelMicrosoftXboxApp. pal 
£4 MUI Cache (248) @ 2019-11-05 1702111 U. Microsoft XboxApp_Awekyb3d8bbwelMicrosoltXboxApD appiimmersiy 
2 Nottications G9) < oly 
4d Prefetch (247) 
Microsoft MicrosoftOfficeHub_ 8WEkYD3dBbbWelM icrosoft MicrosoftOfficeHub 
43 Recent Apps (13) 
63 ShimCache (533) 


Microsoft/Window: " A ETE 2774070e+26 
Sor ERECTO 
" aes eS 
This is available for these items in Actionable Intel > Insights. 
e Passwords > Apple Keychain 
e Program Execution > Notifications 
e All items in ComDlg32 
e All items in Windows Activity Timeline 
LIN . 
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Support for License Management 


The License Manager application is no longer required for managing Inspector licenses. Now, 
you can update your license file directly from within Inspector. The options on the Help menu 
have been changed to support this. This is the Help menu now. 


Description 
Cellebrite Open the Cellebrite home page in a web browser 
Website 
Inspector Send an email to Cellebrite to provide feedback about Inspector 
Feedback 
Technical Open the technical support page on the Cellebrite website in a web browser 
Support 
Update Open the Update Dongle window, where you find and select the license file for your 
Dongle nspector device and click Update. The license filename uses this 
License pattern: bbtlicense «serialNumber», where <serialNumber> is the serial number for your 


nspector device. 


Enter Used for demonstration purposes with cooperation from Cellebrite sales. 

License Key | |f an Inspector device (dongle) is connected to the computer, this option does not open the 
window. 

About Open the About Inspector window, which shows the version, build, dongle ID (serial 

Inspector number], and expiration for Inspector as well as contact information. 

(Only on 

Windows] 

Check for Check for a newer version of Inspector 

Updates 

(Only on 

Windows] 

12 
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Censored Pictures and Videos 


When you select a picture type tag, you can now set whether censored pictures and videos are 
exported with reports. Also, the user interface when configuring a tag makes it more clear that 
choosing to censor photos affects both photos and videos. 


= ACTIVITY. 


= TAGS 
% apple keychain — €D 
x D 


Media Picture (049 ems] 
Path: /Library/Desktop Pictures/Hawallan Printjpg 
880 
jal metadata selected for reporting. Click the Configure button to select which additional metadata will be displayed in reports. 


‘Data interpreter 


conven searches ERR He 
Value (Little Endian) 


INDEX SEARCHES 


Field Value 


« »| [Decimal | [Go To Position Sector Offset: OxDO (208) Position: 0x0 (208) Little Endian ~ 
20210801.052534-bbb5388 (0 of 349) fa 


Filtering 


For all views except the File Filter view, filtering based on time now includes hours and minutes 
in addition to date. 


These more robust time-based options have been added. 


e is exactly (with HH:MM) 
e is after (with HH:MM) 

e is before (with HH:MM) 

e is between (with HH:MM) 
e is not (with HH:MM) 
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Introduction 


Inspector is a comprehensive software solution to help investigators conduct digital forensic 
investigations on Mac computers, iOS devices (iPhone, iPad, iPod touch), Android devices, and 
Windows computers. Inspector is designed for both novice and advanced users and offers a 
clean interface featuring easy navigation as well as powerful advanced options. The interface 
provides forensic examiners both robust capabilities and an intuitive and elegant user 
experience throughout all phases of a digital forensic investigation. 


With Inspector, you can accomplish these tasks. 


e Manage cases. 

e Collect files from remote computers (only for customers using Endpoint Inspector, offered by 
Cellebrite Enterprise Services.) 

e Ingest, manage, and verify evidence. 

e Browse, search and filter evidence. 

e Analyze evidence with views focused on timelines, media, communications, locations, 
internet activity, productivity tools, system activities, and actionable intelligence. 

e Tag evidence, create reports, and share evidence in portable case files. 


This chapter provides these topics about Inspector. 


e Intended Audience 

e Hardware and Software Requirements 
e Installing Inspector 

e Registration 

e Analyzing Digital Evidence 

e Reporting 


e Sharing Cases 
e Backing Up Case Evidence 


e Getting Support 


Intended Audience 


Forensic software tools offered by Cellebrite are intended for use by law enforcement officials, 
private investigators, corporate security specialists, and other parties who investigate Mac- 
based and Windows-based computers devices for evidentiary data. 


Users of Cellebrite software should possess these core competencies. 


e Basic knowledge of and experience using Apple and Windows computers and their peripheral 
devices 

e Familiarity with macOS and Windows operating system environments 

e Knowledge and training in basic computer forensics policies and procedures 

e Anunderstanding of forensic images and how to correctly acquire them 

e A fundamental understanding of how to preserve, acquire, authenticate, and analyze digital 
evidence, and how to report digital forensic investigation findings 
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Digital Forensics Overview 


Forensics is preserving, acquiring, authenticating, analyzing, reporting, and managing digital 
evidence. Digital evidence includes data found on computer hard drives, external hard drives, 
CDs and DVDs, portable media such as USB thumb drives, Android devices, and iPod, iPhone, 
and iPad (iOS) devices. 


A digital forensic examination includes these basic steps. 


Preserve: Identify, secure, transport, and store the digital evidence (chain of custody]. 
Acquire: Create a forensically sound image of the evidence. 

Authenticate: Confirm the forensic image is identical to the original (forensically sound]. 
Analyze: Create a case and analyze the evidence using an appropriate software solution. 
Report: Thoroughly document the data investigation process and results of the analysis. 
Manage: Back up, archive, detach/attach, and restore cases and evidence as needed. 


Os OF Ee O 


Preserving and Acquiring Digital Forensic Evidence 


Digital evidence must be preserved in its original form to the greatest extent possible for it to be 
admissible during a legal proceeding. A forensic examiner must carefully preserve, acquire, and 
authenticate electronic data during their examination. Therefore, it is of the utmost importance 
to acquire electronic evidence in a way that ensures no changes are made to the original data 
during the acquisition process. 


A forensically sound image is a bit-by-bit image that is identical in every way to the original, 
including allocated, unallocated, and free space. 


Preserving Evidence Using a Write-Blocker 


Some operating systems attempt to write to the hard drive or device containing original evidence 
during the acquisition process. A write-blocker stands between the forensic examiner's 
computer or hardware acquisition tool and the devices containing the original evidence. Write- 
blockers prevent evidence contamination during the acquisition process. 
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These are the types of write-blockers. 


Hardware-Based Write-Blockers: A hardware-based write-blocker is a hardware device 
that is placed with cables and port connections between the forensic examiner's 
computer and the device containing the original digital evidence. Hardware-based write- 
blockers allow one-way, read-only data transfer between the device containing the 
evidence and the forensic examiner's computer. If the forensic examiner's operating 
system tries to write to the device containing the original data, the write-blocker blocks 
the unwanted data transfer. 


Software-Based Write-Blockers: Software-based write-blockers serve the same 
purpose as hardware-based write-blockers. Software-based write-blockers reside on 
either the forensic examiner's computer, or on a hardware acquisition tool. SoftBlock™, 
offered by Cellebrite, is an example of a software-based write-blocker that runs on the 
forensic examiner's computer. Digital Collector, offered by Cellebrite, is an example of a 
hardware acquisition tool that has a software-based write-blocker built in. 


A software-based write-blocker may be advantageous to a forensic examiner, as it may eliminate 
the need to purchase and carry expensive and cumbersome external hardware-based write- 
blockers. 


Using SoftBlock During a Live Acquisition 


A forensic examiner may need to acquire data from a machine while the machine is running, or 
live. Data collected during a live acquisition may be saved to a forensic image as needed. Live 
data may be acquired from hard drives or another electronic data source. 


During a live acquisition, the device containing the original evidence must remain connected to 
the forensic examiner's machine throughout the investigation. A write-blocker must be in place 
throughout the investigation as well. SoftBlock is an excellent software-based write-blocking 
solution for live data acquisitions. 
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Acquiring Digital Evidence 


A forensic image is a physical representation of the acquired device, even though it is saved as a 
file. Forensic images are static, meaning they remain the same even after you add them to a 
case. Forensic images may be backed up and stored for later use if necessary. 


A forensic examiner uses these types of tools to acquire digital evidence. 


Hardware Acquisition Tools: Hardware acquisition tools are physical devices used to 
collect digital evidence. They do not necessarily have a central processing unit (CPU), are 
self-contained, and may be hand-held. Digital Collector is an example of a hardware 
acquisition tool. Digital Collector can acquire a forensically sound image or collect data 
directly from a live source Mac or Windows computer (including RAM for macOS). 


Software Acquisition Tools: Software acquisition tools reside on a forensic examiner's 
computer. Software acquisition tools often allow a forensic examiner to choose the 
forensic image file format, compression level, and the size of the data segments at the 
time the acquisition is performed. Inspector, offered by Cellebrite, has a software 
acquisition tool built in for acquiring iOS and Android devices. 


Authentication and Hashing 


After you acquire a forensic image, you must authenticate it to confirm the image is an exact 
copy of the original. This is accomplished by hashing both the source and the acquired image. 
Hashing is the process, done by forensic software, of applying an algorithm (mathematical 
formula) to generate a value that uniquely identifies data. This value is usually expressed as a 
sequence of hexadecimal digits. If the hash value of the acquired forensic image matches the 
hash value of the original data, the forensic image and original data can be considered identical. 


Digital Collector and Inspector use these algorithms to generate hash values. 


e Message Digest 5 (MD5] 
e Secure Hash Algorithm 1 (SHA- 1) 
e Secure Hash Algorithm 2, 256-bit length (SHA-256) 


Note: You may also hash individual files with Inspector. 
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Hardware and Software Requirements 


The macOS installer for Inspector is delivered as a package file (.pkg) while the Windows 
installer is delivered as a setup executable. 


In addition to the Inspector installers, installers for Operating System hash sets and memory 
symbols will need to be installed in order for Inspector to take advantage of those. 


Recommended Hardware Requirements 


Processor Requirements Intel Xeon E5, 6-Core, or better 


RAM Requirements 32 GB DDR3 or higher 


Screen Resolution 1680 x 1050 or higher 


Free Disk Space 5 GB (installation only] 
25 GB (temp space] 


Minimum Hardware Requirements 


Platform Intel based systems (Mac) 
x64 Architecture (Windows) 


RAM Requirements 16 GB DDR3 


Free Disk Space 5 GB (installation only) 
25 GB (temp space] 
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Minimum Software Requirements 


Operating System Specification Mac OS X 10.12.6 or newer*t 
Windows 10 1809 or newer 


Windows Server 2016 or newer 


iTunes 12.6 or newer 


QuickTime (Mac) 7.6.9 or newer 


Windows Media Player (Windows) 12 or newer** 


* |n testing it was determined that Inspector performs best on OS X version 10.14.6. 


t We recommend strongly against using macOS versions .0 and .1 in all cases. For example, 
10.15.0 or 10.15.1. 


**For Windows systems, Inspector uses whatever the default app may be for playing media files. 
Windows Media Player 12 is recommended. If you use Windows and do not have QuickTime 
installed and you need to play certain file types such as .AMR files [voicemail and so forth) you 
must install some non-default codecs, following the instructions found here: 
http://shark007.net/win8codecs.html. 


For information about downloading iTunes and QuickTime, please visit 
http://www.apple.com/quicktime/download/ 


Installing Inspector 


This user guide does not include installation instructions. For installation instructions, log in to 
https://www.community.cellebrite.com/s/support and select the /nspector Installation Guide in 
Product Documentation. 


Registration 


Inspector product license registration occurs at the time of payment and before the product is 
downloaded or shipped. Each license is bound to either a USB security device or a license key. 


You may view your current registration information, check for product updates and download 
new product releases from within Inspector, or by visiting our website at 
https://community.cellebrite.com/. 


Each new Inspector product license includes a one-year license subscription. During this one- 
year subscription period, you will have full access to Cellebrite technical support, and the right to 
download and install currently licensed product updates and new releases for that product. 
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Please be sure to renew your product license subscriptions annually to continue receiving 
subscription benefits. 


Customers in law enforcement may continue to use Inspector if the subscription is not renewed; 
however, subscription benefits are no longer available. 


Customers in the private sector can no longer use Inspector if the subscription is not renewed. 


Analyzing Digital Evidence 


Digital forensic analysis includes identifying meaningful evidence that will be included in the 
forensic examiner's report. This section briefly describes several Inspector features that help 
streamline this process. 


Hashing Individual Files 


As mentioned in the previous section, hashing may also be performed on individual files. When a 
new case is created, or additional evidence is added to an existing case, Inspector gives an 
investigator the option of hashing all files as they are added. These hash values may then be 
used to verify file integrity, identify duplicate files, and identify both known and unknown file 


types. 


Known and unknown file type identification is useful during a forensic examination. Known file 
types might be standard system files that a forensic examiner may wish to ignore, or they may be 
files known to contain illicit or dangerous materials. Unknown file types may warrant further 
investigation. 


Known File Hash Set Database 


Inspector can use a Known File Hash (KFH) database when installed. This database allows a 
forensic examiner to quickly identify known file types in a case and determine whether certain 
files represent meaningful or insignificant evidence. 


Searching 


Inspector includes multiple search features. A live or content search is a bit-by-bit comparison 
of a chosen search term against the entire evidence set in a case. This type of search may take 
longer to complete than an index search, but a live (content) search allows the examiner to 
search for non-alphanumeric characters and perform pattern searches (such as regular 
expressions and hexadecimal values). A smart index search searches an index created by 
Inspector of data residing in allocated space. 
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Tagging 


The Inspector tagging feature bookmarks meaningful evidence within a case. Evidence can be 
easily located and referred to once it is tagged. External "supplementary files" may be attached 
to tagged evidence, even if such files are not part of the current case. Tagged evidence can be 
incorporated into a report at any time during the investigation process. 


Reporting 


Inspector provides uniquely flexible and intuitive reporting features that allow forensic 
examiners to create customized reports and export them to one of several standard file formats. 


Generating Reports 


Inspector includes a report feature that allows convenient report creation and modification. 
Reports created within Inspector are searchable and can be exported to the .docx file format 
(compatible with Microsoft Word, Apple iWork, Pages, and LibreOffice), .html, .pdf, .csv, or .txt 
file formats. Custom logo and branding materials may also be incorporated into the examiner 
report. 


For more information, see Reporting. 


Sharing Cases 


Inspector includes a portable case feature that allows examiners to generate a portable case file 
for a case reviewer. An Inspector Portable Case reader, available for macOS and Windows, can 
be distributed with the data exported into the portable case file. This reader does not require 
installation, does not require a software license, and provides an interface for the case reviewer 
to view files, filter data, perform searches, tag information, and generate reports. 


For more information, see Portable Cases. 


Backing Up Case Evidence 


Throughout a digital forensic investigation, you should regularly make backups. Do this by 
copying the case to secure media and storing the media in a secure location. 


When planning an investigation and determining the resources needed, ensure sufficient storage 
space is available to keep adequate backups of the case. Each case backup requires the same 
amount of drive space as the case itself. 
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Getting Support 


You can log in to MyCellebrite portal at https://community.cellebrite.com, which provides access 
to resources and support. 


e Keep your products updated. 

e Contact Support or review the knowledgebase. 
e Download user manuals and data sheets. 

e Manage your product licenses. 

e Get expert assistance. 


You can also send an email to technical support at support(dcellebrite.com. 


These technical publications are available for download. 
e Inspector Quick Start Guide 

e [inspector Installation Guide 

e [inspector User Guide 

e inspector Portable Case Guide 
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Workspace Orientation 


This chapter provides these topics about the workspace in Inspector. 


e Case Manager Window 
e Case Info View 

e Case Window 

e Menu Bar 

e Toolbar 

e Component List 

e Details View 

e File Information Pane 
e File Content View 

e Managing List Views 

e Settings, Preferences, and Options 


Case Manager Window 


Before you launch Inspector, make sure there is enough storage space on the working hard 
drive to store case files. 


When Inspector is launched, the Inspector Case Manager window appears. Recent cases are 
listed in the Inspector Case Manager window. 


@ Inspector Case Manager - x 
File Edit Action Tegs View Manage Window Help 


| 
LORS " " " " 
*. Cellebrite 255 Inspector 10.3 


Case Creation Date Modified Date 
© 


irst.inspector posta 
idi\cases\Bennet first.inspector 


xS testtemplates.inspector postgres@ 127.0.0.1:20220 bbtbl_4b2287d5a68974349db7_ — 2021-03-08 153942 2021-03-08 154810 
[Sl c:\users\heidivcases\testtemplates.inspector\ 


first.inspector postgres@12700_ 2021-03-03 152312 2021-03-08 155139 
© C:\Users\heidi\Documents\1 Product documentation\inspectorfirst.inspector\ 


[- Tech Pubs.inspector postgres@_ 2021-03-05 155741 2021-03-05 160138 
C:\Users\heidi\Documents\1Product documentation\Inspector\Tech Pubs.inspector\ 


Second Inspector Case.inspector 2021-03-05 153523 2021-03-05 153745 
© C:\Users\heidi\Documents\1 Product documentation\Inspector\Second Inspector Case.inspecton 


New... Open Other... Remove Cancel L opn  ] 


The Inspector Case Manager window shows a list of recently opened cases. To open a case file, 
select the case and click Open. To reopen a case after it has been removed from the recent case 
list, click Open Other, navigate to the case file, and then click Open. You can open a case located 
anywhere in the file system. 


e On Windows computers, double-click the case file in File Manager. 
e On Mac computers, double-click the case file in Finder. You can also drag a case file from 
Finder onto the Inspector Case Manager window to add it to the recent case list. 


s$ 
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To remove a recent case from the Inspector Case Manager window, select the case and click 
Remove or press DELETE. 


If the Inspector license subscription is due to expire in less than 60 days, a notice appears near 
the top of the Inspector Case Manager window indicating the number of days until expiration. 


If the subscription is not renewed, customers in the private sector can no longer use Inspector. 
Customers in law enforcement can continue to use Inspector after the expiration date, but 
software updates are no longer available. 


If you attempt to open a case file created using a previous version of Inspector, a prompt 
appears. Click Update to update the case file. The case file updates and case information 
remains intact, but it is always a good idea to back up case files before you update, as a 
precaution. 


Note: Some versions of Inspector do not support updating case files from previous versions. 


For more information, see Open a Case. 


Case Info View 


On the toolbar, click Case Info. The Examiner Information and Case Information fields appear 
where you can provide information about the examiner and the case, such as the case number 
and case synopsis. You can change this information any time during the examination. 


Examiner Information 


Name: | Technical Publications. Organization: Where | Work 


Title: | Examiner, Analyst] Email | sampleGemail.com 


Address: |wnere 1am 


Phone: | 800-555-1234 Fax | 888-555-4321 


Case Information 


Number: | 81 


Name: | Bennet first 


Synopsis: [This is the synopsis 


Case Time Zone Display 


Time Zone: [UTC ~ Example: 2021-03-05 23:14:07 (UTO @ 


The Examiner Information fields retain the information you provide when you create your first 
case in Inspector; you don't need to provide this information each time you create a case. 


Because each case is unique, you must provide the case number, case name, and synopsis for 
each case in the Case Information fields. In the bottom left corner of the Case Info window, you 
may select a time zone in the Time Zone field. This determines the time zone used by evidence 
timestamps in the Case Window and in the examiner report. 
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By default, Inspector displays timestamps as Coordinated Universal Time (UTC]. Dates and times 
are displayed with the selected time zone appearing in parentheses, for example: 2009-12-19 
19:34:51 [PST]. Inspector makes automatic adjustments for daylight savings time shifts for 
different parts of the world. You don't need to make any manual changes. 


Case Window 


The Case window contains these elements. 


Toolbar 

Component list 

Content pane 

View filter 

File Information pane (metadata) 
File Content view 

Status bar 


Soe ey CO po s 
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Toolbar 


The toolbar is located at the top of the Case window and is used to select different views that 
display device data in the Content pane in various ways. Additionally, there are several Content 
pane sub-views. These sub-views are discussed in more detail later in this manual. 


By default, the toolbar shows large icons and text labels. You can customize the toolbar by 
opening the toolbar context menu (press CTRL and select, or right-click anywhere on the 
toolbar]. 


The context menu for the toolbar has these options. 


Description 
Big Icons with Labels Default view with large icons and text labels 
Small Icons with Labels Small 16x16 pixel icons with labels 
Big Icons Large icons without labels 
Small Icons Small 16x16 pixel icons without labels 
Labels Only Shows text labels without icons 
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When you add a device to a case, it is listed in the Evidence section of the Component list. Select 
the disclosure triangle next to a device to view device partitions and carved files located in 
unallocated space. To add evidence to a case, to the right of Evidence click Add and select the 


evidence type. 


The Activity section of the Component list shows file export status and 
evidence status (data import and processing status). Progress 
indicators appear here for many Inspecto- user-initiated tasks. 


Search results and the search criteria used for saved searches appear 
in the Content Searches section of the Component list. An examiner may 
create several custom searches during an examination, save them, and 
later refer back to the results and settings for each at any time during 
an examination. 


Queries created for Smart Index appear in the Index Searches section of 
the Component list. An examiner may create and save multiple index 
queries during an examination, save them, and later refer back to the 
results at any time during an examination. 


Tags and tagged items appear in the Tags section of the Component list. 
Select a tag to view individually tagged items within the tag. The 
numeric badge to the right of each tag indicates how many tagged items 
are contained within the tag. 


Investigative Notes appear in the Investigative Notes section of the 
Component list. Investigative Notes can be added by at any time during 
an examination. 


For more information, see Component List. 


i Cellebrite 


Y EVIDENCE 
v @ E KreeseUSSFDesktop.E01 
aum NTFS / exFAT (0x07)... 
[E Recovery 
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v E Bennett-Computer-20052... 
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CONTENT SEARCHES 
INDEX SEARCHES 


INVESTIGATIVE NOTES 
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File Information Pane 


Select a file and click the File Information pane to display metadata associated with that file. If 
the selected file is an image file, additional metadata is likely present. 


Field Value 
Main 
BlackLight ID: 36903 
Evidence ID: 45 
File System ... 8590668587 
Name: flt4.gif 
Path: /usr/share/doc/ntp/pic/flt4... 
Size: 3876 
Size On Disk: 3876 
Owner ID: O 
Group ID: O 
Permissions: 292 
Extension: gif 
Content Ext... GIF 
Date Created: 2017-05-05 00:21:03 (U... 
Date Modifi... 2017-05-05 00:21:03 (U... 
Date Acces... 2017-05-05 00:21:03 (U... 
Date Chang... 2017-11-29 20:30:34 (???) 
Locked: No 
Hidden: No 
Fork Count: 1 
File System ... APFS 
Location O... 
Extents: 1 
Physical Se... 100640160 
Logical Sect... 100230520 
Logical Clus... 12528815 


The File Information pane displays extended attributes, hash values, date and time stamps, file 
paths, file size and EXIF, TIFF and location (GPS) data. Drag the dot at the top center of the File 
Information pane up or down to adjust the pane size. 


To hide and show the File Information pane, on the menu bar click View > Hide File Info or Show 
File Info. 
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Content Pane 


The Content pane displays data in various ways depending on which view option or Component 
list item you select. In the Component list, select which devices to view by marking the checkbox 
next to the name. From left to right, select each toolbar button to navigate through the different 
Inspector view options. In the Component list, from top to bottom, select Activity, Content 
Searches, Index Searches, and Tags to see how the Content pane displays each. 


lai] Pictures. B videos ES Thumbnai ills. B= combined 41 Audio E 


Sticky Select 


a mS =a m d Ex 


AOBIeteHT602be, S828 forRdacerceZDNen. (067 asmbOSROGPISS. 643  sEeRE7oONOIL. 7U7 OBUETRLDEATSET,700d BSAPOA2S4cis,.Tofa  dOR7ambzHSQ8MT.OMa EabbSIUIzbISSD, 3510 


cSef7aGadeGada... dé2c seen 014087853... 0x61 — 7770b0la2bi10c.. 8089 cuo Ic3b7.. 9e07 — dáccí344755afc... 7360 gum esbeela.. ddeo  Godese7dfütiet.. 6251 —29728bfüdbdebl. 2065 


A numbered badge appears in each view representing the numbered evidence item from the 
Component list. 


An examiner works with the Content pane the majority of the time during forensic analysis. The 
Content pane displays data as a file list the majority of the time. 


View Filter 


The view filter exists in certain views such as the Media view. This filter allows for specific 


filtering of the data within the current view only. To see the view filter, click the Show/Hide Filter 
button. 


= 
= 
-= 


Match: | All T 


Reset... kä 
Any contains - 


If the filter is active (applied) the Show/Hide Filter button is green. 
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File Content View 


The File Content view has these main file viewing options. 


Hex 
Strings 
Preview 
Metadata 
Location 
Record 


In the Content pane, select a file. At the top of the File Content view, click Hex, Strings, and 
Preview to view the file as hexadecimal data, as character strings, and as a rendered preview, 
respectively. 


Æ Strings Preview — $i Metadata @ Location J Record © dataFork B 


With a file selected, click Metadata in the File Content view. The metadata contents shown are 
identical to those displayed in the smaller File Information pane to the left, but you can enlarge 
the pane as much as you wish. 
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Field. value 


Date Accessed: 2017-08-04 13:43:54 (UTC) 
Filsystomottset: UTC 


Sector Start: 31464608 


Hash Set. 
Metadata. 
BSD Flags: 0x0 
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Select any media file that contains geolocation [GPS] data (as indicated by a red placemark icon], 
or any applicable record in the Location view, then click Location in the File Content view to 
display one or more offline maps depicting the item's latitude and longitude coordinates. 
Inspector also has a button to optionally view the location in Google Maps (if connected to the 
Internet), and other geolocation information contained in the file's metadata. 


Pictures E Videos EE Thumbnails, ‘Hs Combined J] Audio = 


Sort: | None B Sticky Select — 
45372026957..4500  S980501a03671a..b30d {1138e40bade34.. 1504 6042c7316a64c:; b029 GedeBeeastE42B... df7e  cdfb26948fc8e3;:: 070b  2ELIEEOIOGIe..Gcte  6cc8B2fe91513c::: eb2c 


“at hed ak B 


BiHex strings [Preview — $ Metadata — 9 Location d Record © aao B 


Show on Google Maps. 


Property Value 
Altitude 365.2207 m (1198 ft) 
joa level 


$ 
H 


Time Stamp 23:12:45 9 


Any selected file which exists on a filesystem that has a record system like HFS and NTFS 
(Catalog Tree, and MFT respectively], will display the file record. 


ZiHex strings [Preview — $ Metadata — Q Location Š Record Data Structure © DataFork 


0000: | [46 49 4C 45]30 00[03 O0|2C 19 4D 39 00 00 00 00[03 OO|O1 00[38 00[01 00/10 
CJ @1 G0[08 00[00 O0[00 o0) 


Element Value Pos... Size 


02 00 00/00) 

0029: [04 00 CI 00A BC [00 00]10 00, 

0058: [00 00]60 00 00 00]00] 0000 00]00 valoo O0|48 00 00 OO[18 0/00 0[2i AE t& AE 14 96 D4 INET RECORD, GE 
7: | [01] 7S SD 0S CA 14 96 D4 Oi] 75 SD 0S CA 14 96 D4 Oi[7S SD 05 CA i4 96 D4 O1[20 00 04 00) 

0116: [00 00 00 oaoa 00 0 0/00 00 00 0000 00 00 00|89 07 Q0 G0|00 00 00 00 00 00 00 OO|tO Y MFT Header o a 

0145: [FO 8 03 00 00 00 00[30 00 00 00[70 00 00 00[00|0000 000 00[02 00[58 00 00 0018 00 

0174: [01 00[69 BC 01 00 00 O0[03 00/21 At E8 AE 14 96 D4 Oi[zl AE E8 AE 14 96 D4 O1[2l AE E8 PER PAE S) zi 

0203: [At 14 96 D4 O1[2i At EB AE 14 96 D4 O1]00 00 00 00 00 Q0 00 00/00 00 00 00 00 00 00 00 Update Seq... 48 a2 

0232: [20 00 00 00[00 00 00 00/08]03|41 00 72 00 63 00 GB 00 69 00 76 00 65 00 2t 00 7A 00 69 

0261: [00 70 00[80 00 00 00] 48 00 00 00]G1|00[00 00/00 00[03 QO[00 00 00 00 00 00 00 O0[1t 10 Fixup Byte... 3 eu? 

290: [00 00 00 00 00 00] 40 00/00 00[00 00 00 0/00 FO 01 01 00 00 00 OOlEZ t6 01 O1 00 00 00 fige Sa. bavas4oae "e 

0319: [00[E2 E6 01 01 00 Q0 00 00[32 1F 10 F7 57 53 00 00[DO 00 00 00] 20 00 00 O0[00[00|00 00 

0348: [00 00/04 00/08 00 00 00/18 00/00 20] GF O0 00 00 7C OO O0 OO|EO 00 00 00/98 00 00 02/00) 1 Sequence N... 3 16 2 

0377: [00|00 @0[00 00[05 00] 7C 00 00 00[18 oaoa 00|40 00 00 00 00 16 1E 00 24 48 45 52 4t 45 emu Wu S 

0406: [4C 2E 50 55 52 47 4S 2t 45 53 42 43 41 43 48 45 00 1E 00 00 00 03 00 02 06 4F 27 55 F7 : 

0435: |2C 96 D4 01 80 66 42 AS 70 73 D3 01 02 00 00 00 00 00 00 00 00 3C 00 00 00 00 19 18 00) 1,0. . fBipsÓ. Attribute Of... 66 2 2 

0464: |24 4B 45 S2 4E 45 AC 2E S0 S5 52 47 45 2E 41 50 50 S8 46 49 43 41 43 48 4S 00 4F 27 55 SKERNEL . PURGE 

0493: |F7 2C 96 D4 01 EO FO 8A 03 00 00 00 00 00 00 00 00 AB 00 00 00 00 QO[00 00 00 OO[FF FF| Flags 1 2 2 

0522: [FF FF[82 79 47 11 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 VO AU mE 

0551: [00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 

0580: |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OA 20 OA 00 00 00 00 00 OA 00 AA Record Len... 1024 28 a 

2508: | Maint ed ede CCCII E ICA CIRCE Reference t. 0 28 

Decimal [J Sector Offset: OxFFFFFFFFFFFFFE1A (492) Physical Sector: 0x80000000037974 (36028797019191664) Logical Sector: Ox7FFFFFFFF24974 (36028; 


To adjust the size of the File Content view, at the top of the pane, click and drag the handle up or 
down. 


9 Location Æ Record 


' 00 eoj03 00/01 00/38 00/01 20/10 ?2 20 20/00) EnHED.[. .[)..M9.. A BLL TT | 


You can "tear off" the File Content view as a separate window so you can simultaneously see the 
file content in multiple windows. The tear-off handle appears as several short, vertical lines 
immediately above the Hex tab in the upper left of the File Content view. 


0000: les 49 4C 
0020. [0A AA AA 
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Click the handle and drag it away in any direction. A new File Content view window appears. This 
new window can be placed on another monitor if multiple monitors are being used, and it can be 
enlarged to the desired size. Additional tear-off File Content view windows can be created, and 
each one can be used to view different data if desired. For example, one window may show the 
Preview tab, while another shows Metadata, and a third reveals Location maps. When a file is 
selected within the original case window, such as in Browser view, all of the tear-off windows 
update to reflect information related to that file. There is no need to reconnect these tear-off 
windows to the original case window. Simply close each window when finished with it. Even 
though the File Content view can be hidden on the original case window, it is always there and 
never has to be reattached. 


For more information, see File Content View. 


Note: The File Content view pane is not active in Case Info, Details, Report, and Share views. 
The Status Bar 


The Status Bar shows selected data such as Content pane file counts and the pathnames of 
selected files pathnames. Some progress bars also appear in the Status Bar. 


Menu Bar 


The menu bar in Inspector is located at the top of the screen on a Mac computer and at the top 
of the application window on a Windows computer. The menu bar has these options. 


Inspector v 

File v v 
Edit v v 
Action v v 
Tags v v 
View v v 
Manage v vV 
Window v vV 
Help v v 


Note: Only Inspector for Mac includes the Inspector menu. This is due to the difference between - 
the Mac and Windows platforms. 
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Inspector Menu 


The Inspector menu is available only on Mac computers. 


In the menu bar, click Inspector, and then click the appropriate action. 


Description 
About Inspector Version, license, and contact information for Inspector 
Check for Updates Check for a newer version of Inspector 
Preferences Open the Inspector preferences window. 


For more information, see Inspector Preferences or Options. 


Services Open System Preferences Keyboard shortcut service 
Hide Inspector Hide the Inspector application window 

Hide Others Hide all other application windows except Inspector 
Show All Show all application windows 

Quit Inspector Stop and exit the application 
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About Inspector 


The About Inspector option opens the About Inspector window, which shows dongle ID (serial 
number] and license expiration. 


Please have the Dongle ID ready when contacting Cellebrite Technical Support or your sales 
representative. The expiration date shown is the date when the Inspector License Subscription 
(BLS) contract ends. 


For public sector customers, Inspector continues to function after the BLS expiration date, but 
software updates are no longer available. For private sector customers, Inspector no longer 
functions after the BLS expiration date. 


[ ) About Inspector 


Inspector + 


Version: 10.3 

Build: 20210310.000558-99b0e44 
Dongle ID: BBT0072772216 

Expiration: 2022-03-11 


Platform: macOS 10.15.7 


atut ^ pero : 
*.; Cellebrite 2s 


Company Cellebrite 
Web Page community.cellebrite.com 


Sales and Support  support(Gcellebrite.com 


Copyright © 2010-2021 Cellebrite. All Rights Reserved. 


Check for Updates 
The Check for Updates option is available if the analysis computer has an Internet connection. 


Select this option to see if new updates are available. A web browser opens to the MyCellebrite 
portal, where you can log in and navigate to the Inspector software downloads page. 
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File Menu 


Select the File menu and choose the appropriate submenu option to create a new case, open an 
existing case, or add evidence such as disk images, devices, and folders to a case. 


The File menu contains these items. 


option] Been O O 


New Case Create a new Inspector case 

Open Case Open an existing case 

Open Recent List recently opened cases 

Close Close the current case 

Add Evidence Add evidence to the case 

Add Selected Add selected evidence [such as a selected disk image) to the case 

Create Case Create an archive of a case from the Case Manager window for transfer between 
Archive Mac and Windows platforms 

Restore Case Import a case archive into a new casefile 

Archive 

Save Case Save customized case settings (tags, file filter, search, and evidence import 
Template settings) as a processor template 

Import Case Import a case template containing customized case settings and apply it to a new 
Template case 

Export Case Export a case template (for other examiners to use] 

Template 


Create Case Archive 


To move a casefile between computers with different platforms, such as one created on a Mac 
computer to a computer running Windows (or vice-versa), a case archive must be created, which 
can then be transferred between the two computers. A case archive can also be used to import a 
case file into a version of Inspector that does not support upgrading case files from previous 
versions of Inspector. 


To create the case archive, navigate to the Case Manager window, click File » Create Case 
Archive. A Save window appears, allowing the examiner to choose where to save the archive. The 
archive is comprised of a folder containing a bl-casedata text file and a partitions.zip archive. 
When transferring the archive between computers, the folder and its contents must be copied. 
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Restore Case Archive 


To open a case archive, the archive must be imported into a new casefile. 


To import the archive folder, navigate to the Case Manager window, click File » Restore Case 
Archive. An Open window appears. Within this window, select the archive folder containing the 
bl-casedata text file and partitions.zip file, and then click Open. 


Save Case Template 


Customized Inspector case settings such as tags [empty], file filters, saved searches, and 
evidence processing options can be saved to a template and used in subsequent cases. 


To save the current settings as a template, click File » Save Case Template. The Save Case 
Template window appears, where you can choose which settings to include in the template. 


@ Save Case Template — X 


A Case Template provides default settings for new case files. Select the 
items to be mirrored when creating a new case. 


Tags (Empty tags will exist with the same names) 
File Filters 
Saved Searches 


Edit Processor Templates... 


Cancel 


Click Edit Processor Templates. The Add Evidence window appears, with no evidence shown. 
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Choose the processing options to save, then in the field below all the processing options, type 
the name for the processor template, and then click Add. 


Add Evidence 


Processing Options: 


Preview OTiage O Comprehensive d, 


[Process Archives 


[Process OCR Image Text 
[C Calculate Hashes 
identify Known Files A 
C File Carving 
[File System Journal Analysis 
EZ Spotlight Parsing 
EZ OS Event / Security Logs 
C Smart Indexing 


C Content Search (Bulk extraction) 


EiCloud Backups 


[Hiberfil.sys / Pagefile sys 
Quick Scan Deep Scan 


C Calculate File Entropy 


Manage Passwords... 


The new processor template is added to the Saved Templates list. To delete a processor 


template, select it in the Saved Templates list and click Delete. When finished, click Save. Then 
click Save in the Add Evidence window. 


For more information, see Adding Evidence to a Case. 


For using a saved case template (for example a template with saved tags, file filters, and saved 
searches], you need only create a new case. The saved settings are automatically reflected by 


default in the new case, even if the Inspector application was restarted since the settings were 
saved. 


Export Case Template and Import Case Template 


To share a template with other examiners, the template must be exported (as opposed to using 
the Save Case Template option). Likewise, to save multiple case templates, export each one by 
clicking File » Export Case Template. To finish the export process, type the name of the 
template, choose the save location, and then click Save. 


To import a case template, click File » Import Case Template, select the appropriate template, 
and then click Open. 
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Edit Menu 


The Edit menu includes typical cut, copy, paste, undo, redo, and find submenu options. 


In the Search Results view (such as when an item is selected in the Content Searches section of 
the Component list), the Edit menu includes the Delete Search [search name] option. 


In the Tags view (such as when an item is selected in the Tags section of the Component list), the 
Edit menu includes the Delete Tag (tag name] option. 


On the Windows platform, the Edit menu includes Options, which is identical to Inspector » 
Preferences on the Mac platform. For more information, see Inspector Preferences or Options. 


Action Menu 


The Action menu includes several options for handling evidence. 


Description 


Save File Listing Save attributes from the selected file(s), such as date stamps, paths, extensions and 
File IDs, to a text file 

Copy Path Copy the selected file's path to the clipboard 

Quick Look (Mac  |Preview the selected file without launching its application 

only] 

Find Identical List all files with identical hashes to the selected file(s] 

Files 

File History Display a File History window for files with variants parsed from Windows Volume 
Shadow Copies 

Export Provides access to a sub-menu for exporting information from Inspector 

Reveal Provides access to a sub-menu for revealing data 


Save File Listing 


The Save File Listing menu option saves attributes for the selected files [such as date stamps, 
paths, extensions, and unique IDs) to a text file. When you click Save File Listing, the Save dialog 
box appears. Select the location where the new case should be saved, and then click Save. 


By default, Inspector File Listings are saved as .asc files, which may be opened by a text editor or 
spreadsheet application. 
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Copy Path 


The Copy Path menu option is only available when a file is highlighted. This feature copies the 
selected file's path to the clipboard. The Copy Path option is useful when using the Search 
feature in the Contain Search to area. Simply copy the path into the search path text field. 


Quick Look 


The Quick Look menu option is available only on Mac computers. It opens selected file using the 
Apple Quick Look framework. Quick Look renders the selected file in its native view if there is an 
appropriate Quick Look plug-in, or the file's native application is installed on the examiner's 
analysis machine. 


Highlight a file and press SPACEBAR to activate the Quick Look feature via keyboard shortcut. 
Find Identical Files 


To locate files with the same hash value as a specific file (identical files], select a file in the 
Content pane, then click Find Identical Files. Inspector automatically switches to the File Filter 
view and applies the List All Files and File Hash | is | «hash value» filter options. Files with the 
same hash value appear in the Content pane. 


LET B: ees 
Invert Fiter Ignore Folders and Duplicate Files L Res Save This Fiter 


File History 
The File History menu option is available only when files from a Windows volume with Volume 


Shadow Copy variants are selected or highlighted. When a file is selected and the File History 
menu option is chosen, a File History window appears. 


For more information, see Browser View. 
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Export Menu 


The Export menu option is used to export selected or highlighted files. The Export menu opens a 
sub-menu with several export options: 


Description 


Export Selected Files | Export [copy] the selected file(s) to an external folder 


Export Selected Files | Export the selected file(s) to a Logical Evidence File maintaining metadata and 
As L01 folder structure 


Export for Legal Export responsive files while preserving important metadata 
Review 
Export Hash Set Export hash values for all selected files as an Inspector hash set (Inspector hash 


sets can be saved and imported into other Inspector cases] 


Export Data Model Export selected files to the chosen data model format 


Export Case Data As | Export case data (all evidence items or a selected evidence item] to an XML file 
XML 


Export Selected Rows | Export selected database rows from the active case to a tab-delimited or CSV file 


Export Selection Export a highlighted selection as either raw, formatted data, or as simple hex 
Export Selected Export GPS metadata from selected files to a KMZ or KML file (Google Earth 
Location Data As placemark file] 


Some menu selections have additional sub-menus. 


Export Selected Files 


These are the options in the Export Selected Files menu. 


e Files Only 
e Folder Structure 
e Folder Structure (from root) 


The Files Only options exports only the selected files. If a folder is selected, the files within the 
folder will be exported, but the folder will not be exported. The files from the folder will be placed 
in the directory chosen for export along with any other files selected for export. If files are 
selected from more than one device or volume they will all be placed in the same export folder. 
Refer to the Volume Name or Volume ID in the BBTExportLog.txt to determine on which device 
or volume the files were originally located. 


The Folder Structure option exports selected files and folders. When folders are selected, the 
folders and the files within the folder will be placed in the directory chosen for export along with 
any other files selected for export. If files are selected from more than one device or volume, a 
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folder will be created in the export directory named with the number badge shown in the 
Component list, underscore, device, or volume name. The files and folders exported from each 
device or volume will be placed in the corresponding folder. 


The Folder Structure (from root) option exports the selected files and folders, maintaining the 
folder structure from the root of the device. If files are selected from more than one device or 
volume, a folder will be created in the export directory named with the number badge shown in 
the Component list, underscore, device, or volume name. The folder structure from the root of 
the device or volume will be created in the corresponding export directory containing the files 
and folders selected for export. 


Export Selected Files As L01 


The Export Selected Files As L01 menu option is available only when files are selected or 
highlighted. When a file is selected and you choose the Export Selected Files As L01 option, you 
can select or create a destination folder and provide a name for the Logical Evidence File. 


Export For Legal Review 


Click Export for Legal Review to export selected files in a format suitable for loading into an 
electronic discovery review platform. From any file list, select the files to export and choose 
Export for Legal Review. The Export Files for E-Discovery dialog box appears. In the Load File 
Format field, select the appropriate load file type. Type the custodian ID, custodian name, and a 
case name into the corresponding text fields. 


Cases can be exported to an Inspector Load File, a tab-delimited file, or a Concordance load file. 
Options are also available in the Export Files for E-Discovery dialog to add a prefix to the 
collection folder name and the files. The folder name is a combination of the Folder Prefix and 
the Case Name. 


Export Files for E-Discovery 


Load File Format: Inspector Load File 


Custodian Name: Smith 


Case Name: |0001 


lI CAPTUREOO01/ 
DOCUMENTO000000001 
Folder File 
Prefix: [CAPTURE | Prefix: DOCUMENT 
Starting ID: 1 Starting ID: 1 


Length: 4 Length: 9 


Files Per: 5000 


Add missing file extensions (file typing required) 


Ignore .DS Store files 
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Files in the capture are named using the File Export Files for E-Discovery 

Prefix. There are also options to Add missing LoadFileFormat: Inspector Load File 
file extension (file typing required) and to Custodian ID: 
Ignore .DS Store files. Custodian Name: Smith 


Case Name: 0001 


When settings are complete, click Export. A 
IB CAPTUREO001/ 


load file containing the selected files and 

information about the files (metadata] is "- N 
generated. Once files are exported to a Prefix: | CAPTURE Prefix: pocuwewr ] 
destination folder, if an attempt to create a Starting ID: 1 Starting ID: 1 


Length: 4 Length: 9 


second export in that folder is made 

Inspector provides a warning. The warning is 
an effort to prevent overwriting previous © Add missing file extensions (file typing required) 
exports. 


Files Per: |5000 


Ignore .DS_Store files 


Export Hash Set Cancel 


Custom Inspector hash sets (.blhs) may be 

saved and imported into other Inspector cases. To generate a hash set from specific files in any 
Inspector view, select the files and click Export Hash Set. The Hash Set Export dialog box 
appears, presenting the three hash types: MD5, SHA-1, and SHA-256. Mark the hash types to 
include in the hash set, and then click Continue. In the Hash Set Save Location dialog box, click 
Save. The custom Inspector hash set is generated and saved. 


To generate a hash set of every file in a case, in the Browser view, select the root folder (at the 
top of the file list) and choose the Export Hash Set menu option. 


By default, hash sets are saved in the /Cellebrite/Inspector/Hash Sets folder. This folder is found 
in these locations. 


e macOS: User/Library/Application Support/Cellebrite/Inspector/Hash Sets 
e Windows: \user\AppData\Roaming\Cellebrite\Inspector\Hash Sets 


You may also import existing custom Inspector (.blhs), EnCase (6.19 and lower), and NSRL hash 
sets, as well as hash sets saved as plain text documents. For more information, see Hash Set 
and File Signature DB Management. 


Export Data Model 


The Export Data Model menu option is used to export images, videos, and thumbnails in a 
specific data model format. Data models for pictures and videos can be exported to LACE, 
CAALL, Project Vic, and Semantics21 formats. When exported, these data models can be 
ingested into their respective utilities for further processing. 


Before exporting the data models, Inspector must have completed these processes. 


e Hashes 
e Filetypes 
e Pictures and/or Videos 


42 


August 2021 Inspector User Guide 


The data model formats available are displayed in the sub-menu of are three options in the 
Export Data Model: 


e Project VIC Version 1.1 

e Project VIC Version 1.2 

e Project VIC Version 1.3 

e Project VIC Version 2.0 

e BlueBear LACE 

e CAALL (For more information, see CAALL. 
e S21 


To export to a given data model, select the files of interest and then click Action > Export Data 
Model followed by the preferred data model. A window appears to specify a destination folder. 
Once the folder is selected click Export. 


Select a folder to save exported files to. 


< =v EX B Export Data Model É Q 


New Folder Cancel | ETE 
Export Case Data As XML 


To export casefile data to an XML file, click Export Case Data As XML, and choose either All 
Evidence Items or Selected Evidence Item. This will generate an XML file containing all of the 
normalized data from the casefile for either all evidence items or the currently selected evidence 
item. 


All normalized data from a Inspector casefile can be exported into a single XML file for ingestion 
into another utility that supports Inspector's XML format. Casefiles containing multiple pieces of 
evidence can export XML data for individual evidence items or for all evidence items. 


Export Selected Rows 


The Export Selected Rows menu option is available from any view that displays data as a file list. 
This option may be used to export selected entries to either a TSV file, a Comma Separated 
Values (CSV) file, or logical evidence file (L01) depending on examiner preference. You can 
access this menu option from the Action menu or by opening the context menu for the selected 
rows. 
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Export Selection 


Workspace Orientation 


To export a Hex snippet from the File Content view as raw data, formatted data, or hex, at the top 
of the File Content view, click Hex »Export Selection. You can also open the context menu for the 


selected hex string and click Export Selection. 


ese ER inspector Case inspector. 


2018-12-17 17:05:46 (UTC) X 


2018-12-17 17:08:46 (UTC) 


2018-12-17 17:05:48 (UTC) 


2018-12-12 17:05:46 (UTC) 


E @ soorcaue 


v activity 


SéMetadato — Location A Record 


rrewr scancnes EEE | 20000023 
conten seances REZEN | 20000125: 

15. 
INDEX SEARCHES ensa D 


| 000000297; 00 
wvesroknveworrs — ESTE | 200000324; Tag Hex Data As 


00090351: 
000000373: Apply Template. > 

s: [60-06 wo) 51 wor AU ms WITST er bAT eel > 
(900000432: [80 00 00 00 50 00 00 09 01 00 40 M Export Case Data As XML > 
900000459: |00 00 00 00 00 40 00 09 (0 00 00 oa ot 
Senoob«to: |00 00 os 10 00 co oo o9 oo 20 31 oi rou POT Selected Rows 
(900000513: |FF FF FF 00 00 00 00 00 00 go oa 00 ofan Resa) p 
000000549: |20 02 00 00 00 00 oa 09 00 00 00 00 € Export Selected Location Data As > 
(200090567: |20 02 09 00 00 00 00 00 00 00 02 00 00 vo v6 Vw Vo vv WO Wo UE VU VO WU UE VO UV) 
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20210310.000558-99b0e44 (1 of 30) - |NTFS/ exFAT (0x07) (No Volume Label)/$MFT 


Export Selected Location Data As 
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2018-12-17 170546 (UTC) 
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(86) Position: Ov 


g 
H 


Files containing GPS information can be selected, exported to a .kmz or .kml file, and mapped 


with the Google Earth application. 


1. Select file(s] containing GPS data, click Action > Export Selected Location Data As, and then 


choose either KMZ or KML format. 


2. Inthe Export dialog box, type a file name and choose or create a destination folder, and then 


click Export. 


Inspector exports the GPS data to a .kmz or .kml file in the destination folder. 


3. Open the .kmz or .kml file in Google Earth. 


Google Earth displays a pushpin for each file. Each pushpin is also listed in the Google Earth 


sidebar Places section. 


To see an applied .kmz/.kml file usage example, see Locating Live Victims. 
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Reveal 
| option |o Been OO 
Reveal File on Disk Export the selected file(s) from the current case and reveal the new location in 
the Finder or system browser 
Reveal File in File Reveal the file location within the Inspector Browser 
Browser 
Quick Look (Mac Reveal the file location within the Inspector Disk View 
only] 


Reveal File on Disk 


The Reveal File on Disk menu option exports (copies) the selected file(s] from the current case 
and reveals the new location in Finder or File Explorer. In the confirmation dialog box, click View 
File(s), and then select a destination folder. Click Export to export the files to the selected 
destination folder. A Finder or File Explorer window opens to reveal the location of the exported 
files. 


Reveal File in File Browser 


The Reveal File in File Browser menu option reveals a file's location within the Inspector 
Browser view. This feature is extremely useful. Select a file in the Inspector File Filter or Search 
view and then click Reveal File in Browser. Inspector switches to Browser view and displays the 
file in its actual location within the file system. 


Reveal File in Disk View 


The Reveal File in Disk View menu option reveals a file's location within the Inspector Disk View. 
Select a file in the Inspector Browser or File Filter view and then select Reveal File in Disk View. 
Inspector switches to Details view, with the Disk View tab selected, and displays the file in that 
view. 
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Tags Menu 


The Tags menu contains options to help you manage meaningful evidence within a case. Tagged 
evidence is easily located and can be incorporated into the examiner's report at any time during 
the forensic examination. 


| Mn [oo Deep O 


Delete Selected Tag Removes the selected tag from the case. 


All tags associated with the tag are also removed. 


Tag «Type of Items» As Adds the selected items to a new or existing tag. 


Remove «Type of Item» From Tag Group | Removes the selected items from all tags or specified tags. 


Delete Selected Tag 


This menu option is available when a tag is selected in the Tags section of the Inspector Case 
window. 


Warning: Selecting this option deletes the selected tag and any tagged items associated with the 
tag. This action cannot be undone! 


Tag «Type of Items» As 


This menu option lets you add selected objects to either a new tag or an existing tag. This name 
of this menu option changes depending on the context and on the objects that are selected. 


e When a file or multiple files are selected the name is Tag File As. 
e Inthe Actionable Intel tab, if Trash Items are selected the name is Tag Trash Items As. 
e Inthe Actionable Intel tab, if User Accounts are selected the name is Tag User Accounts As. 


Existing tags appear in the Tag «Type of Items» As menu along with their shortcut keys. 


Description 
New Tag Create a new tag for the the selected itern. 
Tag 1 Existing tag named Tag 1. Inspector autornatically assigns the shortcut 1 to the first 
existing tag. 
Tag 2 Existing tag named Tag 2. Inspector automatically assigns the shortcut 2 to the second 
existing tag. 
For more information, see Tags. 
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Remove «Type of Items» From Tag Group 


This menu option allows you to remove tagged items from all tags or a specific tag. This option is 
available when tagged items are selected in any view within Inspector. 


Warning: This action cannot be undone! 


Description 


l Evidence f selected items are listed in more than one tag, choosing this will remove the items 
ags rom all tags. 


x o 


^ 


Tag Name 1> | Name of the first tag selected items are tagged in. 


^ 


Tag Name 2» ame of the second tag selected items are tagged in. 


When the selected items are tagged in multiple tags, all of the tags are listed. 
View Menu 


The View menu provides these options. 


Description 
Adjust List Columns Choose which columns are visible in the list views, and change the order in 
which columns are displayed 
Hide File Info / Show Hide or show the File Information pane, which provides metadata 
File Info 


Adjust List Columns 


To change the visible columns settings, click View » Adjust List Columns. You can show or hide 
each item in the list marking or unmarking its checkbox. You can also reorder items in this list 
by dragging and dropping each item in the list to the appropriate order. When you have finished 
making changes, click Apply Changes. The columns now appear in the specified order. 


To return columns to the way they were displayed by default, click View » Adjust List Columns. 
Click Reset List to Defaults, then click Apply Changes. 


Note: Column options vary depending on which view is selected, and Inspector applies column 
option settings to each view independently. 


Hide/Show File Info 


To hide or show the File Information pane, click View » Hide File Info or Show File Info. 
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Manage Menu 


Use the Manage menu to manage hash sets, file signatures, plugins, C4All, SEMANTICS21, and 
passwords. 


File Open the File Signature Management window v v 
Signatures 

Hash Sets Open the Manage Hash Sets window v v 
Plugins Open the Manage Plugins window v v 
CAALL Open the Manage CAALL window v v 
S21 Open the Manage S21 window v vV 
Passwords Open the Passwords window v v 
Drive Maps to a volume letter of your choice, thus avoiding the file v 
Mappings path character limit of Windows 


For more information, see Hash Set and File Signature DB Management. 


Window Menu 


Use the Window menu to manage your case windows. 


You may find it useful to see two or more current case views simultaneously, such as tagged 
items within a tag and the examiner report. 


Description 
Cases Window Open the Inspector Case Manager window 
Minimize Minimize the current Inspector window 
Zoom Adjust current Inspector window size 
New Window For This Open another Inspector window for the same case 
Case 
Hide Toolbar and Sidebar | Hide or show the Inspector toolbar, Component list and File Information 
pane 


Open cases and multiple case windows appear as submenus in the Window menu. To bring a 
case to the front, click Window and select an open case. 


48 


August 2021 Inspector User Guide 


Help Menu 


Use the Help menu to get help, provide feedback, get technical support, and quickly access the 
Cellebrite website. 


| option |o Demon O O 


User's Guide Open this manual 

Cellebrite Website Open the Cellebrite home page in a web browser 

Inspector Feedback Send an email to Cellebrite to provide feedback about Inspector 

Technical Support Open the technical support page on the Cellebrite website in a web browser 
License Manager Opens Inspector License Manager application 

Enter License Manager | Opens Dongle Required window 


Toolbar 


The toolbar provides access to information about a case, details about the evidence in a case, 
report features, the Inspector portable case feature, analysis tabs, and notifications from 
Inspector. 


[mtn | Deemn O O O 


Opens the Case Manager window. 


+ 
(E) For more information, see Case Manager Window. 


A Click Case Info to see details about the case, including Examiner Information, Case 
Information and Case Time Zone Display. 
RRRA | For more information, see Case Info View. 


Click Details to see details about the selected device or partition and an interactive 
G) graphical representation of device contents. 


, For more information, see Details View. 
Details BÀ 


Click Report to see, edit, and generate the examiner report. 
B For more information, see Reporting. 
Report 
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> Click Timeline to open the Timeline view. 
D For more information, see Timeline View. 


Timeline 


Click Share to share the examiner report using the Portable Case feature. 


For more information, see Portable Cases. 


Click Browser to see a view to navigate manually through the file structure on the device, 
similar to Finder on Mac computers or File Explorer on Windows computers. 


For more information, see Browser View. 


Click File Filter to quickly isolate specific files by kind or attribute. 


For more information, see File Filters. 


File Filter 


Click Actionable Intel to see sub-views pertaining to the user's program execution 
(including Windows jump lists), device connections, device backups, account usage, file 
downloads, file knowledge [like recent items, Windows link files, and trash], passwords 
(Apple keychains], and searches. 


For more information, see Actionable Intel View. 


Click Communication to see sub-views containing calls, messages, posts, voicemail, voice 
memos, favorites, contacts, and email. This includes data parsed from SMS, iMessage, and 
messages from other communication apps such as Skype, WhatsApp, Textfree, Kik, and so 
forth. 


For more information, see Communication View. 


Click Media to see and sort all pictures and video files located on devices, in folders, or 
AN recovered from unallocated space in Gallery view. Audio files may also be found in the 
Media view. 


For more information, see Media View. 


Media 


Click Locations to see data parsed from maps applications, files containing location data, 
Wi-Fi networks, and location services data. 


For more information, see Locations View. 
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Click Internet to see internet history and cache information for Safari, Firefox, Chrome, 
@ Internet Explorer, and Edge browsers. 


For more information, see Internet View. 


Internet 


Click Productivity to see data from the Calendar and Notes applications (macOS and iOS). 


For more information, see Productivity View. 


Click System to see specific system files (including Windows registry items], data from 

Spotlight (macOS], data from a device's dynamic dictionary database, information about 
installed applications (includes profile information for installed social media apps), data 
from system logs, and memory parsed from memory files or Windows hibernation files. 


For more information, see Systern View. 


Click Plugins to see data parsed by any Inspector plugins for the selected devices. Inspector 
supports Apple Pattern of Life Lazy Output'er (APOLLO), a python script used to query data 
from 10S databases. 


eS | For more information, see Plugins View. 


(? Click Notifications to see notifications, and copy their text and dismiss them. A badge 
indicates the number of unread notifications. 
Notifications 


Show/Hide Filter appears just below Notifications, and only for views that allow you to filter 


= data directly. Click Show/Hide Filter to toggle between showing and hiding the filter pane. 
E The arrows are green when a filter is applied in the current view 
For more information, see File Filters and Filtering within Specific Views. 
Aa 
i- 
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Component List 


The Component list includes these sections. 


Evidence 

Activity 

Content Searches 
Index Searches 
Tags 

Investigative Notes 


Workspace Orientation 


These sections are always present in the Component list; however, items listed under each 
Component list section change according to user actions and evidence added or deleted. 
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Evidence 


In the Evidence section of the Component list, you can see a hierarchical device list. When you 
acquire a device, the new device is added to this list. A hard drive icon represents data imported 
from a disk image. Mobile device icons display according to the type of source device type (such 
as Android, iPhone, iPad, or iPod). In the Evidence section of the Component list, select a disk 
image. The disk image partitions and partitions containing carved files in unallocated space are 
shown. When multiple pieces of evidence have been added to a case file, you can reorder 
evidence items by highlighting a specific item and dragging it up or down in the list. 


In the Component list to the right of Evidence, click Add to add another item to the case. To 
remove an item from the case, open the context menu and click Remove «Name» from Case. 


To show or hide the Component list and File Information pane, click Window » Hide Toolbar and 
Sidebar. 


Each evidence item is associated with a colored badge number. The numbering is sequential and 
is assigned by Inspector upon the initial evidence ingestion. When an image that contains 
multiple volumes is added to Inspector, those volumes appear in the component pane with 
sequentially numbered badges. The image container itself is not numbered. 
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To see any data from a specific item within any Inspector view, mark the checkbox next to the 
appropriate volume. If the checkbox is not marked, that particular item will not appear in any 
view. The exception to this is the Details view, where each volume added to Inspector can be 
selected in the Details For field. 
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All the other views show data from the selected items. The Browser view shows the hierarchy of 
each volume along with the numbered badge and the volume label. 
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— | View in External Application — | 
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Likewise, the File Filter view shows the numbered badge in the first column for each 
corresponding item. All views within Inspector work this way. 


If a volume is removed or added, badge numbering does not change to reflect the addition or 
removal. Any subsequently added volumes continue to be numbered incrementally. 
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Activity 


The Activity section of the Component list includes these categories. 


e Export Status 
e Evidence Status 


Export Status 


In the Activity section of the Component list, click Export Status. File export progress indicators 
are displayed here. A numerical badge next to Export Status indicates how many files are 
currently exporting. Completed exports are also listed. 


To clear the Export Status list, in the bottom left corner of the of the Content pane, click Clear 
List. 


Evidence Status 


In the Activity section of the Component list, click Evidence Status to see the status of device 
acquisition and data processing, and to perform additional data processing on a device. 


Each evidence item has Its own area. All processing options are shown for the item with the 
status of each. File processing options may be activated at any time during an examination. To 
start a process that has not yet begun, click Run for that process. 


You may run the Known Files and the File Carving processes multiple times. Click Run next to 
Known Files to calculate hash values again. Click Rerun in the File Carving column to locate and 
select additional file types in unallocated space. 


© Racer - Data (Snap 1) 


B. 2021-03-10 12:51:26 (MST) le EE jurnal © OCR mage Text lic O iCloud 
B 2021-03-10 13:55:40 (MST) lictures ($ of 15 O Known Files Indexin OQ wi CO Hiberfi/Pagefile. 


Me oon 
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Workspace Orientation 


These are the available processing options. 


Parsing 


Description 


Analyzes the file system and file paths 


Extract Data 


Processes data to populate data in Actionable Intel, Communication, Locations, 
Internet, Productivity, and System tabs 


DB Recovery 


Recovers deleted entries from databases 


File Types Performs file signature analysis and compares the files' headers to the files' 
extensions 

Pictures Locates and builds thumbnails for all images, runs Image Analyzer 

Videos Locates and splits video files into sixteen frame sequences, runs Image Analyzer 

Hashes Calculates file hash values 


Known Files 


Compares file hashes to the selected hash databases 


OCR Image Text 


File Carving Attempts to carve known file types from unallocated space 

Journal Process $USNJRL file in Windows and macOS .fsevents 

Events/Logs Process Windows $log analysis, EVT/EVTX analysis, macOS ASL logs, and macOS 
unified logs 

Archives Expands and processes the following archive files: zip, gz, 7z, tar, tar 


Process image [picture] files to extract text. Optical character recognition [OCR] 
converts text detected in the image into plain text which can be indexed and then 


searched. This process can be slow and is limited to these image types. 
e pdf 

e tif 

e bmp 

* pog 

e jpg 

e gi 


Indexing 


Content Search 


Builds a smart index from data in allocated space 


Runs built-in searches against memory files 


Spotlight 


Process macOS Spotlight extended attribute data 


Mail 


Process Apple Mail, Outlook mail files 


Correlation 


Identifies correlated events done by the system, by a user, or by device. 
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| Mon | Demon O 


iCloud Process iCloud backups from iCloud production files 


Hiberfil/Pagefile | Process Windows memory hibernation file and pagefile 


Entropy Determines possible encryption level of files 


These are the possible status symbols that can appear for processing option. 


Symbol 


: 2019-10-21 18:07:17 (UTI Overall progress of partition processing for the selected processing options. 
2019-10-21 14:07:43 (UTC) 
© co00:4 Green light shows when processing started. 
Yellow light shows when processing is still in progress. 
Green light shows when processing completed. 
Timer shows the time it took to process the partition. 
£j Seen when Parsing or DB Recovery processes are running. 
© Process has completed. 
o Process has completed, but there are more options to run that were not selected. 
@ Extract Data 73.9 Process is running, but not complete. The process cannot be paused. 
€9 Hashes Penain Process is waiting to run. 
(D Hashes 8.8209 Process is running, but not complete. The process can be paused. 
© Process has not been chosen to run. 
Process cannot run on the partition. 
o There was an error with the process. 
With an evidence item selected, Inspector shows a full log of the processing options run on the 


selected evidence. When a process is running, a pie progress wheel will display next to the 
device in the Component list which is processing. The pie progress will show the percentage of 
completed items. 


In the Component list next to the Evidence Status item, a numerical badge indicates the number 
of devices currently processing. A numerical badge with the number of processors running for a 
given device appears next to each device in the Component list. An examiner may not view any 
data while the badge on the imported device reads "Busy." The badge displays a number as soon 
as the parsing process is complete. 
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Once parsing is completed on a partition, the examiner can begin browsing data in various views, 
though it must be remembered that not all data is available to view until processing is complete. 


When all the processors have completed, the case is fully ready for review, and an examiner may 
select any of the toolbar buttons to access different Inspector views. 


Certain processes can be paused during their progress. These processes will be identified by the 
Pause button. When clicked, the processor halts its progress and displays the gray Run button. 
To resume processing, click Run. 


The Hashes processor calculates MD5, SHA1, or SHA256 hash values (or any combination of the 
three] of the files within the selected evidence item. This processor can be rerun at a later date if 
the examiner wishes to recalculate the file hash values. To rerun this processor, click the yellow 
Run button in the Hashes column, and right click on the desired hash type in the Hash Types 
window that appears. A Rerun button appears. Click Rerun and the Complete status will change 
to a checkbox, which can be selected for processing. 


Content Searches 


The Content Searches section of the Component list allows users to create Content Searches 
and displays Content Searches that have been run. For more information, see Search. 


Index Searches 

The Index Searches section of the Component list provides access to the Smart Index. New 
queries of the Smart Index can be created, and saved queries can be accessed. For more 
information, see Search 


Tags 


Items tagged are accessible via Tags the Component list. For more information, see Tags. 
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Investigative Notes 


Investigative Notes are accessible in the Component list. Investigative Notes provide and area for 
the examiner to copy and paste or type in information they wish to note during the analysis. 


To add an Investigative Note, in the Component list click Add to the right of Investigative Notes. 


& EVIDENCE 
© ACTIVITY 
& TAGS 
CONTENT SEARCHES 
Œ INDEX SEARCHES 
© INVESTIGATIVE NOTES 
‘NO New Investigative Note 1 


In the Investigative Note window, you can name the note and then paste or type content. 
Investigative Notes are saved in the case file but cannot be put in the analysis report. 


6 Investigative Note - New Investigative Note 1 = a 


Investigative Note Name 


New Investigative Note 1 


Investigative Note 


Clear Close 
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Details View 


In Inspector, the Details view shows information about the device, device partition, file, and folder 
for each evidence item in the case. Disk images display differently in the Details view depending 
on the type of item type (for example, partitions, unallocated space, folders, Android devices, and 
so forth). You can choose whether to include items shown in the Details view in the examiner 
report. For more information, see Reporting. 


In Details view, you can copy and paste text from the Content pane into a text file or export the 
text to a spreadsheet or database file. To the right of the device icon, select any or all of the 
device description text, then use your operating system's shortcut keys to copy and paste the text 
into your text file. To export the selected text items to a tab-delimited or CSV file, select text 
items in the Content pane, then open Inspector's context menu and click Export Selected Rows. 


Details View for Disk Images 


In the Evidence section of the Component list, select a disk image. In the toolbar, click Details. 
The Summary tab in the Content pane displays image attributes such as the device name, disk 
protocol, disk path, total size and MD5, SHA1, and SHA-256 hash values (or a Calculate Disk 
Hash link if a hash has yet to be performed]. Information about a partition is shown, such as 
partition type, partition name, start sector, and sector count, for boot record, free space, EFI, file 
system, etc. 


Device Name: Bennett-Computer-200820.£01 


20210310.000558-99b044 


The Summary tab offers a section at the bottom for entering an evidence ID and customizing the 
device name (Inspector automatically populates the Evidence Name text field, however this may 
be changed according to company/agency practices]. 
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The Disk View tab offers a raw look into the disk structure itself. From this view, the full partition 
list is displayed as in the Summary view; however, each partition type may be selected to display 
the corresponding disk view. In addition, the Data Interpreter displays and interprets any desired 
highlighted text that is in the hex view. 


ese EA Inspector Case inspector. 


ARLES Details For: Æ Bennett 


* © Bl KreeseUSSFDesktop.E01 
E) LZ C NTFS / exFAT (0x07) (No Volume L. 
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124088280 
124088280 


8280 
124085280 


9 È @eoorcaw 109942784 


OD Dts 
© Dhibeortisys 


asen Bj oatastuctue B 


Value Posi.. Size 
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wi 
mg 


j4939;0824£55 
siguasrscasa 


73 79 73 74 6 
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Ds Lu) 
OKI 


Field. Value 


20210310,000558-99b0e44 


It is also possible to search for strings or hex values from this view. In order to find a deleted 
HFS partition for example, the ASCII value of HSF can be entered into the search field. Press 
ENTER to start the search. 


The first time a hit is found, it is highlighted in bright green. To find more occurrences, use these 
keyboard shortcuts. 


e Mac computers: CMD«G 
e Windows computers: CTRL+G 


In Disk View, certain data structures for various filesystems are color coded, and you can review 
their interpreted values in the Data Structure view. For more information, see Hex Templates 
and Data Structure View. 


Details View for Partitions and Imported Folders 


In the Evidence section of the Component List, select a disk image partition or imported folder. 
In the toolbar, click Details. 


The Details view has two sub-views, Summary and Disk View. 
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Summary View 


The Summary view in the Content pane shows information about the top-level selected item, 
such as its name, disk protocol, total size, and index. 


File Edt A T Help 


EONUESE Details For 


Bennett-Computer-200520.£01 ~ 
Summary Disk View 


Bennett-Computer-200520.E01 


Benneti-Computer-200520.01 
Disk image Fil 


11.868 


E E Ore Calculate Disk Hash 
EIGDIS 
a av 
- pes ee Ec Start Seco Sechor Comme 
Wi Evidence Status e| : Plotecive MBR Protective MER o 1 
$ Export Status 2 Primary GPT Header Primary GPT Header 1 1 
3 Primary GPT Table Primary GPT Table 2 2 
4 Unallocated Unalocate E 5 
a mes 5 ATS. 1 » 
m B APES Racer -Dats Amen 12000200 
wn M APFS Preboot 409540 124088280 
% ag? 2 APFS Recovey 499840 ‘24088260 
E ApS ww pont 1240200 
m Apes Racer pont [pe 
CONTENT SEARCHES. 5 AES Unallocated pen] pu 
D NIS BOOTCAMP 124497920 109942784 
Ed Unallocated Unallocated pm out 
INDEX SEARCHES 


Q New Index Search 


INVESTIGATIVE NOTIS 


Evidence ID: | Bennett-Computer 20052001 - 001 


Device Name: | Bennett-Comouter-200520 E01 


| 20210304.231045-5abde03 


In the Details For field, choose a specific evidence item to see Extended Information and the 
Artifacts bar chart. 


file Edi Action Tags View Manage Window Help 
& EVIDENCE 
EZ BB Bennett-Computer-20052. Zsowey fd DikView 
aon S 
EO Pce- Data 
FB O Preboot , , Device: Bennett-Computer-200520.E01 2 Evidence ID: ^ Bennett-Computer-200520 £01 - 001 £e 
| 
Eb EO Ree Leg | we 
mew I | Mac OS X (10.15.4) 
EE Ome File System: APFS 
E @ soorave 
a AcrvmY 
m TAGs Extended Information Artifacts 
OS Version: MacOS X (1015.4) 
comm sucus pi = -— E 
Folder Count: 100807 
INDEX SEARCHES lat File 1D: 1152921500312700371 Ed LZ 
Pool Container Size: 502 GB (62522190260 Bytes) 
INVESTIGATIVE NOTES ‘Space Used Unformatted: ‘1174010060 Emails 0 
ET Identifier: 14 
e ae UR RU — [f 
Root File Modify Date: 2020-04-14 154820 (UTC) 
Root Fle Accessed Date: 2020-014 ss (UTC LE +: 
Space Used: 104 GB (11174010880 Bytes) 
1 — 19 o — 1000 10000 100000 1000000 
| 20210304.231045-5abde03 


In Extended Information, you can see more details for the selected evidence item such as as file 
system type, total size, space used, space available, and timestamps for creation, modification, 
and access. For all standard volume types, Inspector parses out "Root File" timestamps that 
correspond to the root file within the volume. 


To change the Device name or Evidence ID, click Edit (pencil icon) to the right of either field. Type 
the appropriate name in the Device field or the appropriate information in the Evidence ID field, 
and then click outside the text field to escape it. 
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For FAT16 and FAT32 volumes, you can select the time zone in the File System Time Zone field, 
above the Artifacts bar chart. 


Device: Bennett-Computer-200520.E01 2 Evidence ID: ^ Bennett-Computer-200520.E01 - 001 
| Volume: EFI 


| 
f | File System: 


FAT2 
P, ——1] Total Size: 200.0 MB (209715200 Bytes) 


File System Time Zone: — Unknown 


In the Artifacts bar chart, you can see the quantity of file types for items such as movies, 
graphics, emails, documents, disk images, and archives. Inspector automatically detects the 
presence of archive files (.zip, .sit, tar) and disk image files. 


When you double-click one of the colored bars, the File Filter view appears and shows the 
appropriate analysis view according to the selected bar. 


Disk View 


To see the selected partition in its raw view, click Disk View. This lets you see and search any 
free space, along with slack space, within the partition. Only data from within the selected 
partition is seen in this view. To see data outside of the partition, you must select a different 
partition or the full disk in the Details For field. 


To use the Disk View sub-view in other Inspector views, open the context menu for a selected 
item, and then click Reveal File in Disk View to see the first sector of the selected file in Disk 
View. 


Notes for macOS Computers 


Information is also parsed from various macOS plist files including model, host name, serial 
number, macOS setup timestamp, time zone, language, AirPort ID or AirPort Discoverable Mode, 
and MAC and IP address. 


For macOS 10.15, macOS information is parsed on the <System Volume> - Data partition, not the 
system partition («System Volumes]. 


For HFS+ volumes, Inspector does not parse the file and folder counts from the volume header. 
Rather, it adds up the total number of files and folders based on what has been parsed from the 
catalog plus the raw HFS files. 


The Volume Create Date timestamp for HFS+ volumes is stored in local time, based on the 
system's local time zone setting, rather than based on UTC. Inspector denotes this by showing 
(Local) next to the Volume Create Date timestamp. Volume timestamps for HFS+ volumes are 
parsed from the volume header. 
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Details View for Mobile Devices 


The Details view shows specific device information, including iOS device backup folder 
information for each iOS item in the case. Device items displayed in the Details view may also be 
included or excluded in the examiner report. For more information, see Reporting. 


In the Evidence section of the Component list, select an Android device, iOS device, or iOS 
backup folder. On the toolbar, click Details. When a device is selected in the Component list, the 
Content pane displays device attributes such as device type, OS version, phone number, cellular 
usage, serial number (when available), model number, UDID, AirDrop ID (iOS devices], AirDrop 
Discoverable Mode (iOS devices) and last iOS backup timestamp (iOS devices]. 


Extended Information 


Name: 


Field Value 


20210310.000558-99b0e44 


When an iOS backup folder is selected in the Component list, the Content pane displays 
attributes such as the backup folder's associated device type, iOS version, phone number, serial 
number, UDID, IMEI, AirDrop ID, and last backup timestamp display. 


To change the Device name or Evidence ID, click just to the left of the pencil icon. Type the 
appropriate information into the text field and click outside the text field to escape it. The 
modified text appears. 


In Artifacts, two bar graphs appear. Inspector automatically detects the presence of archive files 
(zip, .sit, tar) and disk image files. The left bar graph displays file counts by file type for these 
file types and others, such as graphics, documents, emails, movies, and disk images. The right 
bar graph displays file counts by file type for messages, apps, browser artifacts, notes, contacts, 
events, voicemail, and calls. 


When you double-click on a colored graph bar, Inspector switches to and configures an 
appropriate analysis view depending on the item selected. 
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These are the options for the left bar graph. 


Description 
Movies Switches to File Filter view » Movie Files 
Graphics Switches to File Filter view » Graphics Files 
Emails Switches to File Filter view » Email Files 
Documents Switches to File Filter view » Document Files 
Disk Images Switches to File Filter view » Disk Image Files 
Archives Switches to File Filter view » Archive Files 
These are the options for the right bar graph. 
Description 
Messages Switches to the Communication view, Messages sub-view 
Apps Switches to the System view, Applications sub-view 
Browser Switches to the Internet view 
Notes Switches to the Productivity view, Notes sub-view 
Contacts Switches to the Communication view, Contacts sub-view 
Events Switches to the Productivity view, Calendar sub-view 
VoiceMail Switches to the Communication view, Voicemail sub-view 
Calls Switches to the Communication view, Calls sub-view 


Details View for Other Types of Evidence Items 


In the Evidence section of the Component list, select an evidence item (such as unallocated 
space [carved files], memory, folder, file, and so forth). On the toolbar, click Details. 


The Artifacts bar graph shows file counts by file type for items such as movies, graphics, emails, 
documents, disk images, and archives. File count and bytes used are also shown. When you 
double-click on a colored graph bar, Inspector switches to and configures an appropriate 
analysis view depending on the item selected. 


Note: You must run the unallocated space processors before all data can be displayed in the 
artifacts bar graphs. For more information, see Managing Case Evidence. 
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File Information Pane 


All files contain metadata. Metadata is most easily defined 
as data about the data. Select a file in the Content pane. 
The file's metadata displays in the File Information pane. 


If the selected file is a picture file, additional metadata or 
extended attributes such as hash values, date and time 
stamps, file paths, file size and EXIF, TIFF and location 
(GPS) data may be included in the file and displayed in the 
File Information pane. This screenshot shows metadata 
found in an image file. 


While all file systems have some metadata in common, 
additional metadata is available for some file systems. 
Metadata for all file systems commonly includes: 


e Name 
e Path 
e Size 


e Extension 

e Date Created 

e Date Changed 

e Date Modified 

e Date Accessed 

e Hash Values 

e Location on Disk 
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Field 

BBTID: 

FileSystemID: 

Name: 

Path: 

Size: 

SizeOnDisk: 

Extension: 

ContentExtension: 

Date Created: 

Date Changed: 

Date Modified: 

Date Accessed: 

FileSystemOffset: 
fsType: 

Directory: 

Visible: 

Locked: 

Owner ID: 

Group ID: 
Permissions: 

Entropy: 

ForkCount: 
Hash:1:SHA1: 
Hash:1:SHA256: 
Hash:1:MD5: 
Extents: 

Sector Start: 

Hash Set Category: 

Metadata 

BSD Flags: 

com.apple.lastused... 
com.apple.macl: 
Date Added: 
Tracked: 

Spotlight 

kMDitemContentCre... 
kMDitemContentCre... 
kMDitemContentMo... 
kMDitemContentMo... 
kMDitemContentType: 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDItemContentTyp... 
kMDitemContentTyp... 
kMDItemContentTyp... 
kMDItemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemDateAdded: 
kMDitemDateAdded... 
kMDitemDisplayName: 
kMDiteminteresting... 
kMDitemKind: 
kMDitemLastUsedD... 
kMDitemLastUsedD... 
kMDitemLogicalSize: 
kMDitemPhysicalSize: 
kMDitemUseCount: 
kMDitemUsedDates[... 
kMDItemUsedDates[... 
.kMDitemContentCh... 


LA AA mI ESSE iSeIS 


* 
Value 
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docx 

DOCX 
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2016-05-25 13:54:29 (UTC) 
2017-08-04 16:01:00 (UTC) 
UTC 

APFS 

No 
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= 
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0x40 
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2016-05-25 13:54:29 (UTC) 
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2016-05-25 13:54:29 (UTC) 
2016-05-25 00:00:00 (UTC) 
2016-05-25 13:54:29 (UTC) 
2016-05-25 00:00:00 (UTC) 
org.openxmiformats.wordproce: 
org.openxmiformats.wordproce: 
org.openxmiformats.openxm! 
public.zip-archive 
com.pkware.zip-archive 
public.data 

public.item 

public.archive 
public.composite-content 
public.content 

2016-05-25 13:54:29 (UTC) 
2016-05-25 00:00:00 (UTC) 
BMW Infotainment.docx 
2017-11-29 00:00:00 (UTC) 
Microsoft Word 2007 document 
2017-11-29 23:06:43 (UTC) 
2017-11-29 00:00:00 (UTC) 
23003 

24576 

3 

2017-11-29 05:00:00 (UTC) 
2017-11-29 08:00:00 (UTC) 
2016-05-25 13:54:29 (UTC) 
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File System and Operating System Unique Metadata 


Some metadata is unique to the file system. Metadata unique to APFS and HFS+ includes: 
e Owner and Group ID 

e Visible 

e Locked 

e Permissions 

e Date Added 

e Spotlight Metadata 


Spotlight metadata includes a vast amount of information. Data can be filtered based on 
Spotlight metadata. For more information, see Artifact Items. 


HFS+ has additional metadata not found in APFS including: 


e Label color 
e Extended Attribute data 


On Windows systems, Access Control Lists are stored in NTFS to control file system 
permissions. Each file on a Windows system has Access Control Entries (ACEs] to control file 
permission. The ACEs are parsed in File Information pane. For more information, see Artifact 
Items. 


Media File Metadata 


Picture and video files typically have additional metadata, including: 


Category Description 


Summary Image summary data [i.e., format, image dimensions, color space, aspect ratio, 
skin tone 96) 


TIFF TIFF (originally standing for Tagged Image File Format) is a file format for 
storing images 


EXIF Exchangeable Image File Format. Includes GPS, camera make, model, settings 
and sound data 


GPS Location-based data stored by digital camera 
Threat Category Threat category calculated for the image file 
Various other Displays application-specific metadata 
categories 


The metadata contained in each media file varies based on file type, how the media file was 
created, and other factors. 


2." Cellebrite 67 


Version 10.4 Workspace Orientation 


File Content View 


In the Content pane, select a file. If the File Content view is hidden, at the bottom of the Content 
pane select and drag the double hash marks up or down to view file data within the File Content 
view. 


Note: The File Content view pane does not appear in the Details, Report, and Share views. 


These are the tabs available in the File content view. 


e Hex 

e Strings 

e Preview 
e Metadata 


o Location 


o Offline Maps 
e Record 


You can “tear off" the File Content view as a separate window so you can simultaneously see 
multiple copies of the File Content view. This lets you see the File Content view in its own 
window. 


In the upper left of the File Content view, immediately above the Hex tab, there is a grab handle 
appearing as several short, vertical lines. Click the handle and drag it away in any direction. A 
new File Content view window is created. This new window can be placed on another monitor if 
multiple monitors are being used, and it can be enlarged to the desired size. 


THIN 


=: Hex = Strings E] Preview 1 


| (AAA - |. AA AA AA 14 RAR 7A 70 70 71 7 
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Additional tear-off File Content view windows can be created, and each one can be used to view 
different data if desired. For instance, one window may show the Preview tab, while another 
shows Metadata, and a third reveals Location maps. When a file is selected within the original 
case window, such as in Browser view, all of the tear-off windows update to reflect information 
related to that file. 


£2 inspector Case.inspector 


E Metadata Q Location d Record © data Fork 


Y EVIDENCE 
HET TT 
D p 2009-06-20 0136..ipg 2014-02-16 1324...ipq 2016-07-21 148 
v lacer La 1 
ve - 
7 F (9 bootcamp (VSC 1) 
Y activity img —— 2013-001 2132.0709 


A 


BiMex  Bistings Proview S Motadata Location d4 © re Data Fork 


E strings (Preview Metadata Location «h Record 


FleSystemib: «02719 626.6130 m (2053 8) PAL 


— ! eu 


Path: /Users/ioshvDropbox/Camera Uploeds/2013-09-11 21.32.0709 


There is no need to reconnect these tear-off windows to the original case window. Simply close 
each window when finished with it. Even though the File Content view can be hidden on the 
original case window, it is always there and never has to be reattached. 


Hex 


Click Hex to display data in hexadecimal and ASCII characters. In the lower right corner of the 
File Content view, the sector offset, physical sector, logical sector, cluster start, and selection 
length for the current cursor position displays. Select and drag across data of interest to 
highlight it, open the context menu from the highlighted area, and then click Tag Hex Data As to 
tag the data and include it in the examiner report. For more information, see Tagging. 


Data Interpreter € _ Data Fork 


ZiHex strings (Preview Metadata Location d Record 

:| FF D8 FF EO 00 10 4A 46 49 46 00 01 01 00 00 01 00 O1 00 OO FF El 2F FE 45 78 69 66 n Vah ith "i 
0000028: 00 00 4D 4D 00 2A 00 00 00 O8 O0 OB O1 OF GO 02 O0 BO O0 OG 00 O0 O0 92 O1 10 00 02 ype lolas (Liine Endi. 
0000056: 00 00 00 09 00 00 00 98 01 12 00 03 00 00 00 01 O0 O1 0G O0 O1 1A O0 O5 00 O0 00 O1 Y String 
0000084: 00 00 00 AZ 01 18 00 05 00 00 O0 O1 00 O0 O0 AA O1 28 00 03 00 O0 O0 O1 O0 O2 O0 O0 
0000112: 01 31 00 02 00 00 00 06 00 00 00 B2 O1 32 O0 02 00 O0 O0 14 00 00 OO BS O2 13 G0 03 UTF-8 AppleiPhone 5 
0000140: 00 00 00 01 00 01 00 00 87 69 00 04 00 00 00 01 00 00 00 CC 88 25 00 04 00 00 00 01 à 
0000168: 00 00 02 4A 00 00 03 14|41 70 70 6C 65 00 69 50 68 GF GE 65 20 35 00 00 00 00 00 48 UTES. Wikethittaun 
0000196:| 00 00 Q0 01 00 00 00 48 Q0 00 00 O1 36 2E 31 2E 34 00 32 30 31 33 3A 30 39 3A 31 31 Y Date/Time 
0000224; 20 32 31 3A 33 32 3A 30 37 00 00 18 82 9A 00 OS 00 Q0 00 O1 00 O0 O1 F2 82 9D O0 OS 
0000252: 00 00 Q0 01 00 Q0 O1 FA 88 22 00 03 O0 00 O0 01 00 02 0G 00 88 27 O0 03 Q0 O0 O0 O1 Chrome 
0000280: | 01 90 00 00 90 00 00 07 00 00 00 04 30 32 32 31 90 03 00 02 00 00 00 14 00 00 02 O2 ponerme 
0000308: | 90 04 00 Q2 00 00 00 14 00 00 02 16 91 01 00 07 00 00 00 04 0l 02 03 00 92 01 00 OA 
0000336: 00 00 00 01 00 00 02 2A 92 02 00 05 00 00 00 O1 00 OO Q2 32 92 03 00 OA O0 O0 O0 O1 Cocoa Nanoseconds. 
0000364: 00 00 02 3A 92 07 00 03 00 00 00 01 00 05 00 00 92 09 00 03 00 00 OO O1 00 00 00 00 
0000392: 92 OA 00 05 00 00 00 O1 00 OO 02 42 AO OO OO 07 O0 OO OO O4 30 31 30 30 AO O1 00 03 bos Wa (r0) 
0000420: | 00 00 00 0100 01 00 00 AD 02 00 04 00 00 00 01 00 00 OC CO A0 03 00 04 00 00 00 01 nime 

:, 00 00 09 90 A2 17 00 03 00 00 00 01 00 02 00 00 A4 O1 00 03 OO OO O0 O1 00 02 09 09 
0000476: A4 02 00 03 00 00 00 01 00 00 00 00 A4 03 00 03 00 00 00 01 O0 O0 O0 O0 A4 05 O0 O3 Firefox 
0000504: 00 00 0O 01 00 21 00 00 A4 06 00 03 00 00 0O O1 00 0O 00 O0 O0 O0 O0 O0 O0 O0 O0 O1 wee ‘inn, 
0000532: 00 00 00 OF 00 00 00 OC O0 O0 O0 O5 32 30 31 33 3A 30 39 3A 31 31 20 32 31 3A 33 32 - :32 
Decimal Ej Sector Offset: 0x35 (68) Position: 0x35 (53) Selection: OxE (14) Little Endin Ej 
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When a file is examined in Hex view, Inspector displays allocated bytes of the file in black. The 
RAM slack [i.e., data from the last byte of the file to the end of the sector] is shown in a lavender 
color, and the disk slack [i.e., the start of the next sector to the end of the cluster [logical block 
on the Mac]) is displayed in red. 


Hex Œ Strings [Preview Metadata — 9 Location — A Record Data Interpreter ©  DataFork 


3A 00 DS 93 57 AG 65 SE 36 2E 7B 4F 41 42 2A 94 23 20 FO SF EB GF 1C 3D 66 35 71 * Value (Little Endi. 
2F C2 92 CB 35 80 10 6D B2 93 FO OC SE 05 D6 EC 39 4F 35 OE 80 8C 54 94 38 spe akea (Eittle Bodi 
BB 78 OE 03 73 BA SØ D2 DO 69 SB GB SD C4 33 A4 34 CB 47 SF 65 06 SES 
F1 34 7C 7F SF 11 81 FS 10 84 38 20 84 GE C6 72 AB 7E EC E9 20 FS 
50 01 54 D4 EB EE F6 51 41 6E C6 1C BA 23 AB 06 OF 63 45 CB 05 1E UTF-8 
89 74 OA 40 3E 08 OD A9 60 00 00 1C 00 00 00 00 00 00 1F 00 00 70 00 ee 
v Date/Time 
vonds 
FILETIME 
[ 
Firefox. 
Jav 
oLE 
74 28 GE 2C|39 35 29 3E 31 33 34 38 t(n,95)»1348 oss 
30 35 30/34 38 3A 2D 2E 30 33 38 39 35 3A 74 28 GE 2C 33 31 29 3E 2E 8.52 .05048:-.03895:t(n, 315» 
74 28 GE 2C 32 36 38 29 3E 31 31 31 2E 32 30/38 31 35 3F 2E 30 30 34 39157¢(n, 268)»111. 208157 .004 Unix 
GE 2C 34 32 31 29 3E 2E 37 35 33 39 36 3F 2E 30 30 32 33 34 3A 2E 30 68: t(n, 421)». 753962 .00234: .0 
28 GE 2C|32 33 29 3E 30 3F 74 28 GE 2C 32 38 34 29 3E 3131 2E 35 3F 407 :(n,23)>07t(n, 284)>11.5? MAL 
33 36 29 3E 2E 35 3F 2E 32 37 36 37 36 3A 2E 31 35 37 34 38 3A 74 28 t(n,136)».52 27676: .15748:t( 8 bit signed 
3E 2E 31 32 38 39 34 3F 2E 30 37 30 31 33 3A 2E 33 36 30 39 39 3A 74 1,23)» .12894?.07013: .36099:¢ 
35 29 3E 2E 34 30 31 30 34 3F 74 28 GE 2C 33 38 29 3E 32 37 31 30 38 (n,1652» .40104?tn, 38)>27108 8 bit unsigned 
37 37 32/39 3A 2E 32 38 39 36 3A 74 28 GE 2C 30 20 3t 2E 30 31 35 31 68?.17729: .2896:t(n,0)».0151 M UL ud 
2C 32 36/39 29 3E 31 31 39 33 30 2E 35 3F 2E 31 35 39 3134 3A 2E 30 9?t(n,269)»11930.5? .15914:.0 tis 
Sector Offset: Ox1FO (496) Position: 0x57FO (22512) Little endian Ej 


Strings 


Click Strings to display ASCII printable strings of three (3) characters or more. If the selected file 
is a text file, an examiner can perform a keyword search within the displayed text strings in both 
the Strings view and Preview views. 


When the OCR [optical character recognition) process has completed, any text parsed from 
supported image file types can be seen on the Strings view. OCR text appears after this label: 
*e**** OCR Image Text ******. While you can search OCR text with an index search, a content 
search cannot find it because it does not exist as plain text. You may also use the OCR Image 
Text option in to filter image files that have recognized text. 


When you click Edit > Find, A Find dialog box appears. You can drag search results to select and 
tag them. 


Preview 


Click Preview to see a file as it would appear in its native application. 


You can toggle the preview between the default [scaled to fit the Preview tab] or actual size. The 
appearance of the toggle depends on the preview displayed at the moment. 


Ea. El 


In the upper right corner of the File Content view, click View to see data contained ina files data 
fork, resource fork, and/or ADS (alternate data stream]. 


August 2021 Inspector User Guide 


down menu. Inspector looks to see if a file has a resource fork and if so, automatically adds this 
option to the drop-down menu. Likewise, if an NTFS file has data in an ADS, an option for viewing 
the ADS will be included in the drop-down menu. 


You can preview video files. To see the video file split into sixteen frame sequences and displayed 
as a 4 x 4 mosaic, at the top right of the File Content view, click Thumbs. 


If you click Video, the video file is rendered with playback controls. To play the video, click Play. 


H E 


BH thumbnails He Combined JJ Audio 


Sticky Select. ————— 
now wcw mow wow 


2010-12-01 13.19.,,.mov 2012-09-01 09.1... mov 2013-01-19 16,08....mov 2EBD1405-2788-...mov SCOBBGAS-FB7D....mov SABSEEOF-02A4...mov 8924d0dbd9bcc... 1109 2016-02-23 10.3... mov 


EiHex Œ strings (Preview Metadata Location dh Record GETH B vdo) © paaro B 
" 


(10f 97) - [Racer - Data/Users/josh/Dropbox/Camera Uploads/2010-12-01 13.19.12.mov 


In the Content pane, select a file and press the spacebar, or select the Eye button to view the file 
using Quick Look (Mac only). Quick Look displays native Apple application files (and some third- 
party application files) the same way a user sees them. Audio and video files play within the 
Quick Look view as well. 


Note: The Quick Look feature works only when a Quick Look plug-in for the selected file type, or 
an application that supports the selected file type is installed on the forensic examiners analysis 
machine. Inspector allows for queries to be run on SQLite databases. Select a database and click 
Preview in the File Content view. Enter a valid SQLite query in the upper pane of the File Content 
view or double-click one of the database tables to the left. When the examiner double-clicks a 
table, a query is automatically populated. The query can be edited and run as desired, with 
results showing in the lower pane. When finished editing, press ENTER to run a query. Results 
can be exported as tab-delimited or CSV files. To do so, select the results and open the context 
menu, then select Export Selected Rows to choose the format and save location. 


xo E Strings Proview $ Metadata — 9 Location dh Record © aarok B 


Select çkzane, asversion, lastunleek from ekdevicestate Value (Little Endi... 


pum tkeyarchives ckzone ^ osversion lastunlock 


ApplePay iphone 17.6.0 (15F79) 2018-08-20700:00:002 


ApplePay macOS 18.70 (18695) 2019-10-07700:00:002 
ApplePay macos 19.0.0 (19888) 2019-12-18T00:00:002 Cocoa 
ApplePay iphone 19.4.0 (17262) 2020-05-19700:00:002 Dos 

ApplePay macOS 19.4.0 (196287) 2020-05-20T00:00:002 FILETIME 


iphone 17.6.0 (15F79) 2018-08-20700:00:00Z Firefox 


macOS 18.70 (18695) 2019-10-07100:00:002 m 


red Fragment AutoUnlock macOS 19.00 (19888) 2019-12-18T00:00:007 
Recovered Fragments Linie Enden [D 
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In the upper pane, known keywords (e.g., "SELECT" and "FROM ") are displayed in blue. Inspector 
prevents processing of destructive user-defined SQLite queries [e.g., "CREATE" or "DELETE"]. 
When typed, these destructive terms are displayed in red, and an error message is displayed. 
When an existing table or column name is partially typed and the cursor is placed anywhere 
within or directly after that partial name, the examiner can press TAB for autocomplete 
suggestions. A list of tables and columns that contain that partial name appears. The examiner 
can then select a table or column name from the list, and Inspector autocompletes the name in 
the query. 


Metadata 


With any file selected, click Metadata in the File Content view. The metadata contents shown are 
identical to those displayed in the smaller File Information pane to the left, you can enlarge the 
pane as much as you need. 


In some cases, only Hash:1:MD5 is shown as an available MD5 hash field; however, at other 
times additional MD5 hash fields may be shown. These numbers are related to the data fork, 
resource fork, and ADS fork. 


Hash:0 2 mirror of data fork 
Hash:1 = data fork 

Hash:2 = resource fork (Mac) 
Hash:4 = ADS fork (Windows) 


S fork, therefore MD5 hash number typ: 


Location 


Select any media file that contains geolocation (GPS) data (as indicated by a red placemark icon], 
or any applicable record in the Location view, then click Location in the File Content view to 
display one or more offline maps depicting the item's latitude and longitude coordinates. 
Inspector also displays a button to optionally view the location in Google Maps (if connected to 
the Internet), and other geolocation information contained in the file's metadata. 
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Offline Maps 


Inspector presents a set of static maps based on OpenStreetMap. Select a file that contains GPS 
coordinates and click Location in the File Content view. In the Location tab, you can see an 
offline map with three levels of zoom. You can download additional maps for additional zoom 


capabilities. 
—— = 
SiHex Strings i] Preview $$ Metadata 9 Location &% Record o Data Fork 
Show on Google Maps... | Desert L 
National \ 
Property Value Wildlife i C 
Altitude 625.6139 m (2053 ft) Refuge | Aum 
Altitude Refe... Sea level | Le 
Image Directi... 29.06641 9 A CLLLL {L À / 
Image Directi... True direction Bw if 
Latitude 36.1435 ^ ~a zu 
Longitude -115.157333333 RE f 
Time Stamp 04:32:07 S N 
- s fus gas l 
ji: , Ned 4 Lake Mead 
e 4 1 N ZEN National 
£ Recreation 
| "Area 
9 E f | 
| is 
l px 
a /N. V. 
| I a 
Aj j N D 
Y A OpenStreetMap contributors 


The zoom is currently set at levels 3, 5, and 8. When additional zoom level tiles are downloaded, 
Inspector increases its maximum zoom accordingly. When connected to the Internet, you may 
also zoom in by clicking Show on Google Maps. The default web browser opens to Google Maps, 
allowing control of the zoom level and viewing style. With Inspector, you can export files 
containing GPS information as a .kmz file or in .kml format. Select the files containing GPS data, 
open the context menu, click Export > Export Selected Location Data As, and then choose either 
KMZ or KML format. In the Export window, provide a file name, choose or create a destination 
folder, and then click Export. Inspector exports the GPS data to a .kmz or .kml file in the 
destination folder. 


Record 


Select a file and click Record in the File Content view. The Record view displays the MFT record, 
catalog tree record, or FAT file system record for the selected file. 
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Data Interpreter View 


There is a hidden Data Interpreter view which can be slid into view from the right side of the File 
Content view. Select and drag the double hash marks left or right to view file data within the 
Data Interpreter. This view is hidden by default, but once opened it remains in the same position 
until you change it. 


The Data Interpreter works when in the Hex and Strings views. It also works in the Preview view 
for certain file types such as databases and .plists. In the Hex view, select and drag across data 
of interest to highlight it. The Data Interpreter automatically update sits display accordingly. 


The interpreter has three modes in which the data may be displayed: Big Endian, Little Endian, 
and Both. Chose the option which best suits the data type that is being decoded or interpreted. 
Choosing Both allows both the Big Endian and Little Endian values to appear side by side. Use 
the disclosure triangles in the data type rows to show or hide values. 


In this example, the date is highlighted in green. Looking at the Big Endian FILETIME date, it 
becomes clear that the date is not real; however, the Little Endian date is. This might lead the 
examiner to conclude that this is a Microsoft date, as Microsoft uses the Little Endian storage 
format for integers [most significant bit first). 


fox Eistings [Proview Metadata Location A Record Data interpreter E © Data Fork 
36 49 4C 45|30 00[03 O0|AS 09 OF 89 2 00 00 GO[Gl 00/61 0O[38 O0|01 G0|AS 01 00 O0|00 O4. = 

: [86 00]00 00 00 00 06 06 00 00/06 00]00 OO[00 00 00 OO|it 02|FF FF|0d 00|00 Oa] 10 00 O0 O0, Mas (Ide Feds) 
09000060: [60 00 00 00|00[00|18 0000 00|00 00|48 00 00 00|18 00[00 00|t6 CC 23 Fi 45 AS DO oree CC] 

x |[23-F1 45 AS D0 0166 CC 23 Fl 45 -A5 DO Q1[FG CC 23 Fl 45 AS DA 01[06 00 00 Q0[00 00 00 00 

[08 00 00 80] 20 00 00 0000 00 0 00|00 1 C0 €0] 0 00 00 00 00 00 00 00] 00 00 00 00 00 00 9/999 

: [88-08] 30-80 20-00] 68 00 00 0[00[0018 00|00 0003 00|4A 00 00 0018 00] 01 0005 00 Q0 00 Mate 

: [00 00]05 eo[EG CC 23 Fl 45 A5 DO O1[EG CC 23 Fi 45 AS DO OI[tG CC 23 Fl 45 A5 DO OI|EG CC i) 

: [Za Fi 45-45 D0 0100 40 00 00 00 00 00 0060 40 00 00 00 00 00 00[06 00 00 00/0 00 00 00 

 [0T83[z4 00 4D 00 46 00 54 0000 00 00 00 00 00[80 00 00 0058 00 00 00[OI[00|40 O0|00 00 

[01 0000 00 00 00 00 00 00 OD|Sr SB O1 00 00 00 00 00[40 00/00 00[00 00 00 00|00 00 BC 15 

[00 0 00 000 00 BC 15 00 00 00 00|00 00 SC 15 00 00 00 0033 00 95 00 09 00 UC 32 40 53 [ 

: [D8 CF 24 32 80 73 38 23 78 00 00 00 00 00[B0 00 60 00|48 00 00 ed] 01] 00] 40 0000 00] 05 00 

: [Ue 00 00 00 00 00 00 0005 00 00 00 00 00 C0 00[40 0000 0000 00 00 00|00 CO 00 00 00 00 nds 2005-02-22 17:28:29 (UTC) 

: [8-00] 8 80 00 00 00 00 00 alas Ba 00 @0] ee 00 00 00|21 0C A7 00 00 00 00 00 FF FT FF FF papain 

: [69-00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 0 00 00 00 ma (ert) 

; |00 00 00 00 00 00 0i 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 26 00 00 BO 00 00 00 FiLeTiMe 2015-08-12 19:28:21 (UTC) 

: |08 10 00 00 00 00 00 00 08 10 00 00 0 00 00 00 31 01 FF FF OB 11 01 FF 00 36 6A 04 80 FA 

: || 1E 02 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 O0 00 Firefox 

: 19a 00 00 00.00 00 00 00.00 00 00 00.00 00 00 00.00 00 00 0A 00 OA 00 00 00 AA 00 00.00 00 I 

Sector Offset 0x60 (06). Position: 0x60 (86) Selection: Ox8 (8) tite Endian Bj 


BiHex strings Preview S Metadata @ Location d Record © pur B 
za Enter a valid salit query or double-click a table in the Ist to the left E aaa 
-SalteDatabaseProper T Siring 

message ves 312838897000000000 


uTE-16 E a 
type service account —— accountg. error date — dateread datedeliv... is delivered is finished = Gai 
sus 048896C4. 312692178.. 312692178.. 312692178.. 0 1 Chrome 
sms 048896C4. 312838437... 312838437.. 312838437.. 0 1 V Cocoawebkit 
sms 048896ca. 312838632... 312838632... 312838632.. 0 1 Cocoa Nanoseconds 2010-11-30 19:41:37 (UTC) 
o 1 


sus o4 


3 


312838780. 312838780. vos na (72) 


E 04 E 3856 FILETIME 2592-05-07 01:21:40 (UTC) 
sus 048396C4.. 0 312850765... 312850765.. 312850765.. 0 1 Firefox 


sus ossaeecs... 0 arzescass... 212050044... 312050944.. 0 1 
Lite endian BB 


Values from within .plist files and databases can be selected for interpretation. Clicking on 
Preview while viewing a database file will display the database structure. Select the desired 
table at left to view its contents. Values stored as integers can be interpreted. Click on the value 
in the lower pane, and the Data Interpreter decodes it. For example, in the screenshot above, a 
date value (1308221028) within the highlighted row is clicked, and it is interpreted into all the 
values the Data Interpreter can decode. 
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These are values decoded by the Data Interpreter view. 


UTF-8 Chrome 8 bit signed and unsigned Single (4 byte] Base64 


UTF-16 [DOS 16 bit signed and unsigned Double (8 byte) 


FILETIME 32 bit signed and unsigned 


OS X 64 bit signed and unsigned 


Cocoa/Webkit 


Cocoa Nanoseconds 


Unix 


Firefox 


Java 


OLE 


The Data Interpreter view is also available within the Disk View, where the full evidence disk is 
presented in a raw form. For more information, see Details View for Disk Images. 


Hex Templates and Data Structure View 


Inspector can view binary data structures using templates. Templates can take the mystery out 
of binary data by allowing the data to be understood in an intuitive way. Rather than displaying 
the raw hex bytes of the file Inspector can show the file parsed into a hierarchical data structure 
for easy understanding. This goes beyond the Data Interpreter view to display arbitrary values of 
selected data. 


BLID ^ FSID Name Size Date Created Date Modified Date Accessed Date Added Version Index | Extensio: 
() 1899456 75806  squar 15.4 KB 2014-02-25 14:52:26 (UTC) 2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
1899457 — 75807 160 KB 2014-02-25 14:62:26 (UTC) 2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
@ 1899458 75808 squa 14,8 KB 2014-02-25 14:62:26 (UTC) 2014-02-26 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
) 1908295 86107 MSC 2326 KB 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) zip 
@ 1939690 78777 Archive.zip 210MB 2018-06-18 15:44:28 (UTC) 2018-06-18 15:44:48 (UTC) 2018-06-18 15:44:28 (UTC) zip 


F) 1969221 103273 MSCasualGames.zip 232.6 KB 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) zip 
1998983 — 22351  bobbyRizip 219 Bytes 2015-11-24 18:27:21 (UTC) — 2015-11-24 18:27:21 (UTC) — 2015-11-24 18:27:21 (UTC) 
ED 2010600 324442 Archive.zip 11MB 2018-04-12 09:25:17 (UTC) 2018-04-12 09:25:17 (UTC) — 2018-07-11 17:44:27 (UTC) zip 
) 2043115 65185  System.O.Compression. 304 Bytes 2018-04-11 23:38:38 (UTC) 2018-04-11 23:38:38 (UTC) — 2019-11-05 17:27:00 (UTC) ZipFile 
© 2475226 1495 — 2016-01-20 appLog.1zip 33KB 2016-01-2114:27:33 (UTC) — 2016-01-21 14:27:33 (UTC) zip 
D 247522R — 1408 — 2016-02-28 anni na 17in. A1KR 2016-02-20 21:10:28 (LITE) — 2016-02-20 21:10:25 (LITE) 


Æ Strings [Proview $ Metadata — 9 Location d Record Data interpreter © | Data Fork 
O00: | [50 48 03 04]14]00]00 0008 QO[t? 4t 78 47[93 t9 CS SE[6S 00 00 00|72 00/00 O0|0A 00] 00) POLE. EREE F 1 
Rb. BV. 


029: [0062 GF 62 62 79 52 2E 74 78 7A[10 CA 38 OE B4 30 OC 45 DI DE 92 F7 FO 56 90 05 AC 07 Type Value (Little Endian) 
058: [35 50 32 75 3t 1E 14 69 82 AS 24 96 60 F7 7C BA 28 9D 3B ES DG F D3 BA 51 43 38 3F 4C vs 
087: |4C 88 48 42 D1 2A 90 12 FE 52 9A 73 EE 55 9C GA D8 1F ED BA 4D At D6 E1 37 OF 77 07 30 
116: | 80 F3 97 69 88 D1 M 67 9A E4 BO C6 34 4B 8D 92 E4 AE Cl 52 66 SA EF ES O2[S0 48 O1 02 UTF-8 
145: 4TagLi4 eo[00 00108 Q0|t2 4t 7& 47[93 E9|CO 9E 65 Q0[00 00] 72 00[00 00] 0A 0000 00[00. 
174: oloi 00[20 00 00 00[00 00[00 00 62 GF 62 62 79 52 2t 74|78 7450 48 05 06100 00 uci 
203: [oo } 08/01 0001 00[38 00 00 O0[8D 00 00 00[00 ao] Y Date/Time 
Chrome 


FILETIME 
Firetox 
re 

Decimal BJ Sector Offset 0x0 (0) Position: Ox4E (79) Lite Endian 
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Inspector will automatically apply a template to a file when the file is selected and a template for 


that file type exists. 


BLID ^ FSID Name 


Date Created 


132: ||E4 AE C1 52 66 SA 


@ 1899456 154 KB 2014-02-26 14:52:26 (UTC) 
@ 1899457 150KB 2014-02-26 14:52:26 (UTC) 
@ 1899458 148KB 2014-02-25 14:62:26 (UTC) 
€) 1908295 2328KB 2017-09-29 14:44:23 (UTC) 
@ 1939690 210MB 2018-06-18 16:44:28 (UTC) 
€) 1969221 2328KB 2017-09-29 14:44:23 (UTC) 
LN 219 Bytes. 2015-11-24 18:27:21 (UTC) 
@ 2010500 11MB 2018-04-12 09:26:17 (UTC) 
€» 2043056 304 Bytes 2018-04-11 23:38:38 (UTC) 
O 2475226 33KB 2016-01-21 14:27:33 (UTC) 
E 27527A A1KR 2016-02-29 21:10:25 (LITO 
Eivex Œ strings Preview $ Metadata — Location 

"000: [50 48 03 X 

022: |72 00 00 

044: [84 30 0C 


FEET 


176: [00[01 0020 00 


slaska sga slg 


Date Modified Date Accessed Date Added 


2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) 
2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) 
2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) 
2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) 
2018-06-18 15:44:48 (UTC) 2018-06-18 15:44:28 (UTC) 
2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) 
2015-11-24 18:27:21 (UTC) — 2015-11-24 18:27:21 (UTC) 
2018-04-12 09:25:17 (UTC) 2018-07-11 17:44:27 (UTC) 
2018-04-11 23:38:38 (UTC) 2019-11-05 17:27:00 (UTC) 
2016-01-21 14:27:33 (UTC) 

2016-02-29 21:10:25 (UTC 


Data Structure 


Element. Value 


v ze 


198: [48 05 06) 


Decimal 


None 
DEFLATE 


2015-11-24 09:55:04 (UNKN) 


Ox9EC9E993 


101 


na 
an 


Sector Offset: 0x0 (0) Position: OxA (10) Selection: 0x4 (4) 


ZIP FILE RECORD (004034550) 


Version Index | Extensio: 


Data Fork 


Position si 


In the previous example, a zip archive file was selected and by choosing the Data Structure 
option, the zip file data structure is revealed. All the parts of the data structure from the 
template are shown to the user including the element name or variable, which is spelled out for 
the benefit of the user, the value of that item, the position from the beginning of the file and the 
size of the particular structure. This allows a deeper view into otherwise overlooked data 
structures. The template data returns a color coding for specific data types which can be chosen 
by the user as well as highlighting forensically important items such as dates and times, 


usernames, paths, etc. 


The data structure is made up of a series of variables and selecting a variable in the list shows 
which hex bytes correspond to that variable (in the image above, the variable DOS Date & Time 
corresponds to the hex bytes E2 4E 78 47 at position 10). Highlighting either the hex data or the 
variable will change the other component. In addition, the Data Interpreter view can be selected 
and the corresponding data will be displayed there as well. 


E Preview Metadata @ Location J Record 
08 00) E? 4t 78 47/93 E3 C8 9E[GS 00 00 00 


Data Interpreter 


iHe = stri 
000: |50 4B 03 
022: ||72 00 00 
044: [84 30 0C 
066: |82 AS 24 
088: ||8B 48 42 
310: |E1 37 9F 
132: |E4 AE Ci 
154: | [£78 47] 
376: [00[01 00 
198: [48 05 06 
Decimal BJ 


76 


Type Value (Little Endian) 
Y String 
UTF-8 9:6 
UTF-16 D 
Y Date/Time 
Chrome 1601-01-01 00:19:59 (UTC) 
Cocoa/Webkit 2038-12-31 02:07:30 (UTC) 
Cocoa Nar d 
Dos 2015-11-24 09:55:04 (772) 
FILETIME 
Firefox 1970-01-01 00:19:59 (UTC) 
‘ee 1970-01-14 21:04:26 (UTC) 
oLE 
osx 1941-12-30 02:07:30 (UTC) 


Unix 2007-12-31 02:07:30 (UTC) 


EI 
226 

20194 
20194 


1199066850 


Sector Offset: 0x0 (0) Position: OxDB (219) Selection: 0x4 (4) 


© Data Fork 


Lite endian Bj 
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Templates for ZIP, TAR, SQLite, BMP, JPG, GIF, PNG, AVI, MP4, and LNK files are included with 
Inspector as well as templates for parsing HFS Catalog Records, MFT Records, FAT32 Records, 
Partition Tables, and boot sectors. It is not difficult to write your own template for Inspector to 
use. 


ene EA inspector Case inspector. 


v evenoe Deas;  BieeeUssDekepzm — Bj 
v © Bl KreeseUSSFDesktop.EOT E summary G Disk view 


i €) soorcane 
OD Ome 


v acivity 
Wi Evidence Status 


* export Status 


TAGS 


38807 m 2 
CONTENT SEARCHES 


INDEX SEARCHES 


ELIXEXTY. 
d559988958 
FEEELELEC 


5 a1 
o 
68 oe 
87 os 
Ll [] 
G 76 
62 6C 65 00 n 
74 69 GE 67 20 73 79 73 
61 74 69 GE 67 20 73 79 
'97]80] 20| 24] 00]07]10]17] 6] 
30 7F 88 


iwesticarivenotes EYY 


S:93A9888* 


EECEEPELLITETES 


[a| 


oa) 
OOT Fe] FFF 


aal vs eoqoonosoA: [tt 


9009000 
eene: sr a7 a7 87 a7 a7 a a7 97 a7 a7 a7 a7 87 a7 97 a 97-87 a7 a7 az azaz | 
E] Sector Offset: (00) PhysicalSector(00) Logical Sector (00) Selection: DA 218) 


20210310.000558-99b0e44 


Templates are written in Python and are very flexible since they may include if, for, or while 
statements as well as functions or complex expressions. A template is executed as a program, 
starting from the first line of the file. Data from that file is passed in from Inspector as a stream 
object and can then be read by the python template which will return the data structure for 
display back to Inspector after the data stream has been parsed. 


The templates that come with Inspector (compatible with Python 3.8.2) are not designed to be 
altered by the user. Rather, users can create their own templates and place them in the 
following locations. 


e macOS: /Users/«username»/Library/Application Support/CellebriteTech/Template Scripts/ 
e Windows 10: C:\Users\<username>\AppData\Roaming\CellebriteTech\Template Scripts 


The built-in templates can be overridden by user-based templates. Templates work based off of 
the extension of a file. In other words, the templates are named <extension>_template.py where 
extension is the extension of the file the template is parsing. For example, a file with a .png 
extension would use a template named png template.py. The following example demonstrates a 
simple PNG template. This template is designed to parse the chunk structure of a PNG image 
file. 


s$ 
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#!/usr/bin/python 
# -*- coding: utf-8 


af æ 


File: png template.py 
Author: Cellebrite 
Version: 1.0 

Purpose: 


Category: 
Signature ID: 
History: 

1.0 


Image 
89 50 4E 47 


from bbt framework import 


Workspace Orientation 


Template for parsing PNG structures. 


OD 0A 1A 0A // &PNG 


Cellebrite Initial release 


* 


def analyse stream(stream): 


#PNG Files are Big 
stream.little endian - 


Endian 


False 


# read the first 8 bytes which are the PNG signature 


sig = "" 
try: 
sig = stream.read bytes(8) 
except: 
pass 
if sig != b\x89PNG\r\n\xla\n': 
root = TemplateField( "Invalid PNG Data", 0, stream.length(), "" ) 


return root 


#create root field for PNG 


root = TemplateField ( 
# create signature field 
signature = 
root.append (signature) 


"PNG", 0 


TemplateField( 


"wn ) 


stream.length(), 


and append to the root field 
"Signature", 0, 8, sig ) 


# Loop through the chunks until we get to the end. 


try: 


while stream.position « stream.length(): 


# Read the chunk length, 


chunk start = 
chunk length = 
chunk type = 
stream.position - 


type, data and a checksum 


stream.position 
stream.read uint32() 
stream.read utf 8( 4) 


stream.position + chunk length # Just move the position 


rather than reading the data 


chunkCRC = 


# Add a field for 
chunk - 


root.append(chunk) 


# Each chunk has 3 or 4 sub fields: 


stream. 


TemplateField( chunk type, 
4 bytes each for length, 


read uint32() 


this chunk 
chunk start, "" ) d 


type and CRC 


chunk_length + 12, 


size, type, possible data and CRC 


f Add size sub field 


chunk.append( TemplateField ( 


"Chunk Size", 


chunk_length) ) 


chunk start + 0, 4, 


# Add type sub field 
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chunk.append( TemplateField( "Chunk Type", chunk start + 4, 4, 
| chunk type) ) | 
# Add data sub field if it's non-zero | 
| if chunk length != 0: | 
| chunk data field = TemplateField( "Chunk Data", chunk start + 8, | 
| chunk length, b'' ) | 
l chunk.append(chunk data field) | 
# Add CRC sub field 
| chunk.append( TemplateField( "Chunk CRC", chunk start + 8 + chunk length , | 
| 4, chunkCRC) ) 
| if chunk_type == "CgBI": | 
| chunk.value = "iOS PNG" | 
! elif chunk_type == "IHDR": | 
| chunk.value = "Image Header" | 
| * Move the stream position back so we can read data | 
| stream.position = ( stream.position - chunk length - 4 ) # 4 accounts | 
| for CRC | 
| chunk data field.append(stream.read uint32_template ("Width") ) 
! chunk data field.append(stream.read uint32_template ("Height") ) 
| chunk data field.append(stream.read uint8 template ("Bit Depth") ) 
| chunk data field.append(stream.read uint8 template ("Color Type")) 
| chunk data field.append(stream.read uint8 template ("Compression 
| Method") ) 
| chunk data field.append(stream.read uint8 template("Filter Method")) | 
| chunk data field.append(stream.read uint8 template ("Interlac | 
| Method") ) ! 
| # Reset the position to where it was | 
| stream.position = stream.position + 4 | 
| elif chunk_type == "IDAT": | 
| chunk.value = "Image Data" | 
| elif chunk_type == "IEND": | 
| chunk.value = "Image Trailer" | 
| except: | 
| import logging 
| logging.exception( "error") | 
| if TemplateField.last append == None: | 
| root.append( TemplateField( "Invalid PNG Data", stream.length(), 0, "" | 
l )) | 
! else: | 
| lastValidPos = TemplateField.last_append.position + 
| TemplateField.last_append. size | 
| root.append( TemplateField( "Invalid PNG Data", lastValidPos, 
| stream.length() - lastValidPos, "" )) | 
| return root 
| def process( file name = "" ): | 
# create the stream 
! stream = BBTStream(file name) | 
! # analyze the stream | 
| root = analyse_stream(stream) | 
| # display the result | 
| root.display() | 

e.t 
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if not BBTFunctionsAvailable: 
process( "sample.png") 


Workspace Orientation 


Note: Template scripts must import the bbt framework module. 


There is currently one other module that can be included for assisting with dates and times. This 


can be accomplished by importing the datetime helpers module. 


These are the basic template structure definitions. 


stream - The input stream (i.e. reading the file from position N, where N is either the start of 
the file or some positional offset) 

o Stream.position The current location of the read in the stream 

o stream.length() The length of the entire input stream 
Little Endian vs Big Endian - Data is translated based on Little Endian by default. To 


translate based on Big Endian, add the following to the beginning of def 
analyse stream(stream) 


stream.little endian - False 


root - The root field for the Template view 


Creating the root field is done by defining a new Field with the name root, which has the 
length set to the entire input stream: 


root = TemplateField( "«NAME OF STRUCTURE>", 0, stream.length(), "" ) 


o root.append(defined Field) Appends a simple or complex field to the root field of 
the Template view 
o return root Returns all of root 
def analyse stream(stream) Wrapper for the functions that analyze the input stream and 
render data for the Template view 
def process( file name = "") Wrapper for the function that runs analyse stream and 
displays the results within Inspector itself 


TemplateField is defined as (name, position, size, value, significant-False]. 


80 


name - The name of the field that will be visible in Inspector in the Data Structure view itself 
position = The start byte based on the stream's current position (i.e. If the stream's current 
position is 0, and this value is set to 4, the start byte for this TemplateField will be byte 
number 4). 

size = The size in bytes of the defined object (depends on object type) 

value = The actual interpreted value of the data based on the position and size 

significant = Is this value forensically significant (Subjective] 
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Object types 


e read bytes(self, count) Read the input stream and return the bytes of that stream 


Note: bytes that can be rendered in ASCII will be rendered; the rest will show their raw hex 
value. 


e read ascii(self, count) Read the input stream and return the ASCII representation of 
that stream 

e read utf 8(self, count) Read the input stream and return a UTF 8 string representation 
of that stream 

e / read string(self, count, encoding) Read the input stream and return a string of the 
analyst's defined encoding 

e read string null terminated(self, encoding="") Read the input stream and return a 
string based on a null terminator and of the analyst's defined encoding 

e read uint8(self) Read the input stream and return an 8-bit unsigned integer 

e read int8(self) Read the input stream and return an 8-bit signed integer 

e read uint8 template(self, name, significant-False) Read the input stream for an 
unsigned 8 bit integer and return a templatefield (Preferred method for getting a value as it 
tracks the position for you) 

e read int8 template(self, name, significant-False) Read the input stream for an 
signed 8 bit integer and return a templatefield 

e read uinti6(self) Read the input stream and return a 16-bit unsigned integer 

e read_int16(self) Read the input stream and return a 16-bit signed integer 

e read uinti16 template(self, name, significant=False) Read the input stream for an 
unsigned 16 bit integer and return a templatefield (Preferred method for getting a value as it 
tracks the position for you] 

e read int16 template(self, name, significant-False) Read the input stream for an 
signed 16 bit integer and return a templatefield 

e read uint32(self) Read the input stream and return a 32-bit unsigned integer 

e read int32(self) Read the input stream and return a 32-bit signed integer 

e read uint32 template(self, name, significant-False) Read the input stream for an 
unsigned 32 bit integer and return a templatefield (Preferred method for getting a value as it 
tracks the position for you] 

e read int32 template(self, name, significant-False) Read the input stream for an 
signed 32 bit integer and return a templatefield 

e read_uint64(self) Read the input stream and return a 64-bit unsigned integer 

e read int64(self) Read the input stream and return a 64-bit signed integer 

e read uint64 template(self, name, significant-False) Read the input stream for an 
unsigned 64 bit integer and return a templatefield (Preferred method for getting a value as it 
tracks the position for you) 

e read int64 template(self, name, significant-False) Read the input stream for an 
signed 64 bit integer and return a templatefield 

e read bool(self) Read the input stream and return a boolean 

e read single(self) Read the input stream and return a single float 

e read double(self) Read the input stream and return a double float 

e read dos date template(self, name, swapBytes, tz offset minutes, 
tz unknown-False, significant-False) Return the dos date and time from a 4 byte input 
stream which defaults to an unknown timezone since dos dates are local. 
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e read win filetime template(self, name, tz offset minutes, tz unknown-False, 
significant-False) Return the FILETIME from a 8 byte input stream. 

e read mac date template(self, name, tz offset minutes, tz unknown-False, 
significant-False) Return the Mac OS Date and Time from a 4 byte input stream 

e read unix date template(self, name, tz offset minutes, tz unknown-False, 
significant-False) Return the Unix Date and Time from a 4 byte input stream 


You can change the template colors in Inspector on the Templates tab in the Preferences. For 
more information, see Inspector Preferences or Options. 


Gi Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Type Regular Significant 


bool 00 00 00 00 00 00 00 00 ial 


bytes [ 00000000 |[ 00000000 

datetime [ 00000000 || 00000000 

fileslack 00 00 00 00 00 00 00 00 

float | 00000000 || 00000000 _ 

int 00 00 00 00 00 00 00 00 

long | 00000000 || 00000000 | 
NoneType | 0000 00 00 00 00 00 00 

ramslack [ o00 )_|[_00000000 

str 00 00 00 00 00 00 00 00 

unicode 00 00 00 00 00 00 00 00 M 


BackColor: |EOEOEO |[ 


E000 |[ | 


Text Color: [000000 |M [roo | NN 


Reset bool to Default Reset All to Default 


The standard data type colors which are returned by the template can be changed in this view. 
Highlight the datatype that needs to be changed and choose the back color and/or the text color 
to be altered. If the color block is selected a standard OS color picker will be displayed for color 
selection. Hex color values can also be entered manually within the text blocks. If a color needs 
to be reset to the default value for a single item, select that item and click Reset <type> to 
Default where <type> is the selected data type. To reset the entire color scheme to the default, 
click Reset All to Default. 


82 


August 2021 Inspector User Guide 


Go to Position in Hex View 


The hex view has a position jump feature that allows the ability to move to a specific position 
(offset) within a file. There are three ways to change the position. The first and easiest is to use 
the Go to Position field on the bottom of the Hex tab view. The other two ways are through either 
the context menu or the Edit. Either of these will have the Jump to Hex Offset option, to let you 
enter a position to move to. 


ZiHex Æ strings [Preview — $ Metadata @ Location d Record Data Structure. © || Data Fork 
10000: | [6270 6C 69 73 74 30 30 D4 00 01 00 02 00 03 00 04 00 05 00 06 Q2 4E 02 4F 58 24 76 65 72 73 69 GF GE 58 24 GF 62 GA GS 63 74  bplistOQO.. OX$versionX$object 
0042: | 73 59 24 61 72 63 68 69 76 65 72 54 24 74 GF 70 12 00 01 86 AO AF 10 IF 00 07 00 Q8 00 15 00 16 00 17 00 29 00 39 00 45 00 46  sYSorchi F 
0084:| 00 47 00 48 00 51 00 SS 00 58 00 SE 00 62 Q0 66 00 71 00 72 00 73 00 74 00 79 00 7C 00 83 00 88 00 90 00 9100 94 00 97 OQ 9C — .G. 

0126: 00 9D 00 JE 00 Al 00 AG 00 AF 00 BG 00 B7 00 BA GO BE Q0 Cl 00 CB GO CE 00 D3 00 D4 00 DS 00 DE 0 D9 Q0 El 00 E4 O0 EB 00 EB 
0168:| 00 EC 00 ED 00 FO 00 F8 00 FB 00 FF 1 02 Q1 03 01 04 01 07 O1 OF 01 12 01 16 01 19 01 1A 01 1B 01 1E 01 25 01 28 01 2C Ol ZF 
0210: 01 38 01 3C 01 3D 01 3E 01 3F 01 42 01 45 01 46 01 47 O1 4F 01 52 01 S6 01 59 01 SA 01 SB O1 SE 01 66 01 69 01 6D 01 70 01 71 
Q2S2:| 01 72 01 75 01 7D 01 80 01 84 01 87 01 88 01 89 01 BC O1 94 01 97 01 9B 01 9E O1 9F O1 AO 01 A3 O1 AB O1 AE 01 B2 01 BS 01 B6 
Q294: 01 87 01 BA O1 C2 01 CS 01 C9 01 CC 01 CD O1 CE 01 D1 01 DƏ 01 DC O1 EO 01 E3 O1 E4 01 ES O1 EB O1 FO O1 F3 01 F7 01 FA Ol FB 
0336:| 01 FC O1 FF 02 OA 02 0D 02 11 02 14 02 1A 02 1D 02 1E Q2 IF 02 23 02 27 02 28 02 2A 02 3A 02 3B 02 3C 02 3D 02 3E 02 3F 02 40 
0378:| 02 45 Q2 4A 02 48 55 24 GE 75 6C GC D2 00 09 00 OA 00 OB 00 OC 56 24 63 6C 61 73 73 SA 4E 53 2t GF 62 GA 65 63 74 73 80 93 A8 
0420:| 00 0D 00 0E 00 OF 00 10 00 Qt 00 12 00 Ot Q0 OE 80 02 80 03 80 04 80 91 80 03 80 92 80 03 80 03 53 41 49 4D SO D2 00 09 00 OA [ 
0462: 00 18 00 19 80 90 AF 10 OF 00 1A 00 18 00 1C 00 1D GO 1t 00 IF 00 20 00 21 00 22 00 23 Q0 24 Q0 25 00 26 00 27 00 28 80 05 80 
0504:| 21 80 2E 80 35 80 3C 80 43 80 SO 80 57 80 SE 80 65 80 GC 80 73 80 7A 80 81 80 88 D8 O0 2A 00 28 Q0 09 Q0 2C 00 2D 00 2E 00 2F 
:| 00 30 00 3100 32 00 33 00 34 00 35 00 36 00 37 00 38 55 46 6C 61 67 73 54 47 55 49 44 SB 4D 65 73 73 61 67 65 54 65 78 74 54 
B 65 56 53 65 GE 64 65 72 SF 10 OF 4F 72 69 67 69 GE 61 6C 4D 65 73 73 61 67 65 55 43 GF 6C GF 72 10 01 80 1E 80 20 80 
: 80 06 80 1D 80 1F DG 00 3A 00 38 00 3C 00 3D 00 09 00 3t 00 3F 00 40 00 41 00 42 00 43 00 OD S9 41 63 63 GF 75 6E 74 2s TBLALB, count 
53 65 72 76 69 63 65 4C GF 67 69 GE 49 44 52 49 44 SC 41 GE GF GE 79 6D GF 75 73 48 65 79 58 53 65 72 76 69 63 65 4E \IDRID\Anonymouskey[ServiceN 
80 07 80 08 80 09 08 80 OA 80 02 SF 10 24 33 43 33 30 35 32 43 34 2D 33 45 30 41 2D 34 30 30 36 2D 41 39 41 46 2D 44 ame... -$3(3052C4-3E0A-4006-A9AF-D 
35 46 31 45 38 38 35 36 SF 10 13 6A 62 65 GE GE 65 74 74 SF 6D 61 63 40 GD 65 2E 63 GF 6D 5A 6C 65 GF 70 61 72 64 62 — CS2SFIEBBSG...jbennett macéme.conZleopardb | 
Sector Offset: OX7F (127) Position: Ox7F (127) Selection: 0x1 (1) 


(of 106) - /Racer - Data/Users/josh/Documents/iChats/2010-12-01/leopardbbt on 2010-12-01 at 15.38.ichat 


Type the position to jump to in the Position box, and Inspector shifts the position highlight to the 
numbered position. If a position is entered which does not exist, then Inspector highlights the 
last possible position to indicate there are no more positions to see. You can select whether to 
enter the position in decimal or hexadecimal notation. 


ZiHek strings [Preview — S Metadata — 9 Location d Record 


4914:| 75 B4 80 OC D3 00 59 00 09 00 SA 00 BB OO SC O1 B1 80 27 80 1C 80 GF D2 00 09 00 SF OO GO O1 B4 80 OF S6 74 72 79 69 GE 67 56 
4956: 74 72 79 69 GE 67 SF 10 24 43 34 44 32 39 34 35 37 2D 45 43 41 36 20 34 42 39 32 20 39 41 37 32 20 39 42 30 41 35 42 41 34 30 
4991 41 42 41 D3 00 09 00 75 00 76 00 77 00 31 01 B9 80 15 4F 10 27 2E 39 32 31 35 36 38 36 33 32 31 20 30 2E 39 32 31 35 36 38 
5040:| 36 33 32 31 20 30 2E 39 32 31 35 36 38 36 33 32 31 00 08 28 Q0 09 00 2C 00 20 00 2t 00 2F 00 30 00 A7 01 BB 00 33 01 
5082:| BD 01 BE 00 AC 01 CO O1 C1 80 78 80 20 80 75 80 74 80 22 79 D2 00 52 00 09 01 C3 00 54 23 41 B2 AG FB 46 25 54 AB 80 | 
S124: | OC 03 00 59 00 09 00 SA 00 BB 00 SC 01 CB 80 27 80 1C 80 09 00 SF 00 60 01 CB 80 OF 57 69 27 6D 20 GF 75 74 57 69 27 
5166: 6D 20 GF 75 74 SF 10 24 46 45 42 44 36 38 36 39 20 43 45 34 38 37 41 2D 42 42 39 36 20 39 38 33 34 34 33 41 43 37 37 
5208: | 46 33 03 00 09 00 75 00 76 00 77 00 31 01 DO 80 15 4F 10 39 32 31 35 36 38 36 33 32 31 20 30 2t 39 32 31 35 36 38 36 
5250: 33 32 31 20 30 2t 39 32 31 35 36 38 36 33 32 31 00 D8 00 00 09 00 2C 00 20 00 2E 00 ZF 00 30 00 A7 01 D2 00 33 D4 
5292: | 01 05 00 AC 01 D7 01 D8 80 7F 80 20 80 7C 80 78 80 22 80 02 00 52 00 09 01 DA 00 54 23 41 B2 AG FB 4A AO 37 A4. 80 OC 
5334: | D3 00 59 00 09 00 SA 00 BB 00 SC O1 DF 80 27 80 1C 80 7D 00 60 E2 80 OF SF 15 69 20 67 6F 74 65 L 
5376:| 61 6C 69 GE 67 20 74 6F 20 64 GF 2E SF 10 15 69 20 67 6F 61 6C 6E 67 20 74 20 64 6F g 17 36 
5418: | 33 44 30 36 42 20 44 44 38 44 2D 34 33 34 32 20 39 44 37 3937 30 32 4133 03 (6 09 00 75 00 76 00 77 
5460:| 00 31 01 E7 80 15 4F 10 27 30 2E 39 32 31 35 36 38 36 33 3932 $ 36 33 32 31 20 30 2E 39 32 31 35 36 
5502:| 38 36 33 32 31 00 D8 00 2A 00 2B 00 09 00 2C 00 2D 00 2E Or 00 33 01 EB 01 EC 00 36 01 EE 01 EF 80 86 80 
5544: 20 80 83 B0 82 80 06 80 85 80 87 D2 00 52 00 09 O1 F1 00 F8 4C 00 00 00 80 OC D3 O0 59 00 09 00 SA 00 SB OO SC 
5586: 01 F6 80 10 80 1C 80 84 D2 00 09 00 SF 00 60 01 F9-90-0 20 79 61 57 73 65 65 65 20 79 61 SF 10 24 41 45 32 39 
5628: 35 39 35 36 20 42 32 39 34 41 30-3620 42 31 33 4l 45 46 39 35 45 33 37 32 D3 00 09 00 75 00 76 2 
5670: | 31 01 FE 80 15 4F 10 27 30-20-36 37 34 35 30 39 38 30 3: 30 39 38 30 33 39 32 31 36 20 30 2E 37 34 39 39 
one Bim ] : 


(1of 106) - /Racer - Data/Users/josh/Documents/iChats/2010-12-01/leopardbbt on 2010-12-01 at 15.38.ichat 


Recovered SQLite Records 


Inspector attempts to recover deleted records from SQLite databases automatically. If a view 
exists for a specific SQLite database, such as the Messages sub-view, then any full, intact, or 
recovered records will be displayed in the Content pane. Recovered records are highlighted in 
red italics, denoting that they were at one time deleted records that have now been recovered. 


Many partial items can also be recovered from SQLite databases. These partial fragments can be 
seen in the File Content view under the Preview tab. An SQLite database must be selected, and 
when you click Preview, the tables for the SQLite database display along with a table named 
Recovered Fragments. 


The Recovered Fragments table is not part of the SQLite database. It is designed to display any 
recovered fragment data that cannot be placed into specific cells or columns, as there is no 
context for where the fragments originally existed. Like text items, these fragments can be 
tagged and placed into the report. When tagged, the tag icon appears next to the selected items. 
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Viewing Embedded .plist Data and .jpg Pictures 


When a .plist contains embedded .plist data, you can see that data in the File Content view. 
Select a .plist that contains embedded .plist data, and click Preview in the File Content view. 
Embedded .plist data is denoted in the Type column. You can expand items to reveal .plist data. 


e Ona Mac computer, click the disclosure triangle. 
e OnaWindows computer, click +. 


You can also expand all data within the .plist. 


e Ona Mac computer, press OPT while you click the disclosure triangle to the left of Root. 
e OnaWindows computer, press ALT while you click + to the left of Root. 


mn - 


SiHex strings [Preview $ Metadata @ Location $ Record 


Key Type Value 


You can also see .jpg files that are embedded in a .plist. Click «View Picture» in the Value 
column, and the embedded .jpg opens in a new Plist Picture window. 


SiHex strings [Œ] Preview Metadata Location S Record 


Key Type Value 


P —iTunesMetadata Plist Data (34 items) 
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When a database contains .plist data, you can see that data. In the File Content view select a 
database that contains .plist data and click Preview. Select a table in the left side, and then click 
«View Plist» to the right. A separate Database Plist window appears where you can also show or 
hide .plist data. 


BEiHex Strings  [UPreview $ Metadata Location $ Record 


Tables Enter a sqlite query or double-click a table in the list to the left 


-SgliteDatabaseProper 
message 

Sqlite sequence 

cu ROWID ^ guid style state accountid properties — chatiden.. service... room name account... 


attachment iMessage;-;... 45 0451CB3B-... «ViewPlist» 414083917... iMessage Ejbennett. 


SMS;-;4140.. 45 


handle 5FE82478-.. «View Plist> +14083917.. SMS E 


message attachment . 0451CB3B-... <View Plist> donniea01.. iMessage E:jbennett_ 
0451CB3B-... <View Plist> godzillin@ic... Ejbennett.. 
Ejben 
Ejben 


jbennett m. 


chat. handle. join 
0451CB3B-... 


chat. message. join 


0451CB3B-... 
3C3052C4-... 


1 
2 
3 
4 
5 
6 
a 
8 SMS;-,50472 45 5FE82478-.. -View Plist> E 
9 iMessage;+... 43 0451CB3B-... «ViewPlist» chat95331... iMessage chat95331.. Eibennett. 


sync. deleted chats 


Q 8 o 6 © OG o o o w 


sync deleted attachm: 10 iMessage;-;.. 45 0451CB3B-... «ViewPlist» +14082500... iMessage Eijbennett . 


You can also see .jpg files that are embedded in a database. In the File Content view, select a 
database that contains a .jpg file and click Preview. Select a table in the left and click «View 
Picture» to the right. The .jpg opens in a new Database Picture window. 


Managing List Views 


Inspector allows for secondary sorting of columns. In most views that contain columns, clicking 
on a column header toggles between sorting by that column in ascending or descending order. A 
single arrow in the column header denotes a primary sort, as well as indicating the direction (up 
for ascending or down for descending). 


You can add a secondary sort by pressing SHIFT while you click a second column header. A set of 
double arrows are shown to denote a secondary sort. You can remove a secondary sort by 
clicking a column of choice for primary sorting. 


Date Created ^ Date Modified A 
2014-10-01 (UTC) 2014-10-01 (UTC) 
2014-12-27 (UTC) 2014-12-27 (UTC) 
2014-12-28 (UTC) 2014-12-28 (UTC) 


Column Reordering 


You can reorder columns by clicking View » Adjust List Columns. 


f view | Manage Window 


Adjust List Columns... 


Show File Info 
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Workspace Orientation 


A separate window opens. Select and drag each item in the list to the appropriate order. Each 
item can also be shown or hidden by activating or deactivating its checkbox in this list. When you 
have finished making changes, click Apply Changes. The columns now appear in the specified 


order. 


Drag Rows To Reorder 


Column 


Tagged State `% (fixed) 
Evidence ID (fixed) 


BL ID 

FS ID 

Name 

Size 

MD5 

Date Created 
Date Modified 
Date Accessed 
Date Added 
Version Index 
Extension 
Content Extension 
Path 

Directory 
Locked 
Hidden 
Category 
SHA1 

SHA256 
Entropy 


Reset List To Defaults 


Cancel 


< 


isible 


escsesssssssagggaagsss 


8 


To return columns to the default appearance, click View > Adjust List Columns, click Reset List 
to Defaults, and then click Apply Changes. 
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Settings, Preferences, and Options 


Inspector displays date, time and numeric attributes according to the settings for the operating 
system on the analysis computer. These settings determine how Inspector displays information 
in various views, as well as how some data is reported. It is important that these settings are 
appropriate for any given case. 


Separately from that, you can manage preferences and options within Inspector itself. 


e Inspector Preferences or Options 
e System Preferences on Mac Computers 
e System Settings on Windows 10 Computers 


Inspector Preferences or Options 


You can manage preferences and options for Inspector such as the default evidence list font size, 
iOS device deleted record recovery behavior, examiner report appearance, data export options, 
and search options. These are different from preferences or options for your operating system. 


e Inthe menu bar for a Mac computer, click Inspector > Preferences. 
e Inthe menu bar for a Windows computer, click Edit > Options. 


The Preferences window appears. 


G Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Font size for lists 


Default $2 


Font for File Content View text display 


Default v 


Use Monospace Font 


Language 


English v 


Hash Comparison 


MD5 SHA-1 SHA-256 


These are the tabs on the Preferences window. 


e General Tab 


e Options Tab 
e Report Tab 
e Export Tab 
e Dialogs Tab 


e Templates Tab 
e Project VIC Tab 
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General Tab 


On the Preferences window, click General. 


G Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Font size for lists 


Default v 


Font for File Content View text display 


Default v 


Use Monospace Font 


Language 


English v 


Hash Comparison 


SHA-1 SHA-256 


In the Font size for lists field, you can increase or decrease the default font size for lists in 
Inspector. This setting affects several views of the Content pane. It does not change data export 
font settings or font settings in data views that do not display data as a file list. 


In the General tab, you can also change the font size for the File Content view and change the 
language. 


Full Disk Access is a security feature in versions of macOS 10.14 (Mojave) and higher. It must be 
enabled for Inspector to function properly on Mac computers. When Full Disk Access in enabled, 
itis shown in the General tab. If it is disabled, you can click Enable Full Disk Access. 


The General tab also provides options for Hash Comparison. Hash sets in Inspector can contain 
one or all of MD5, SHA-1 and SHA-256 hash values. By default, Inspector performs hash 
comparisons using MD5. You can mark the checkboxes for SHA-1 and SHA-256 to allow 
Inspector to perform hash comparisons using those hash values. 
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Options Tab 


On the Preferences window, click Options. 


Gi Preferences x 


General Options Report Export Dialogs Templates Project VIC 


iOS Devices 


|| Recover Deleted SQLite Records 


Processing Options 


Max Number of Processors to Utilize: 4 v 


Remember Ingestion Options 


Microsoft Symbols Settings... 


Search Options 


| Deduplicate Hits Across Volume Shadow Copies 


Indexed Search Memory Size (MB): (default - 2048) 


Memory size changes take effect when opening a case. 


Embedded HTML Links 


Follow URL Links 


You can mark or unmark the Recover Deleted SQLite Records checkbox. Marking this box 
allows Inspector to automatically recover deleted iOS records from SQLite databases. The iOS 
Recover Deleted SQLite Records checkbox should remain marked unless problems occur while 
running Inspector. 


Processing Options 


Inspector takes full advantage of machines with multi-core CPUs during device acquisition and 
searching. To manually set the maximum number of processors for Inspector to use, in the Max 
Number of Processors to Utilize field, choose a processor number. This change is effective for 
future ingestion, parsing, and searching. To make this change effective immediately, restart 
Inspector. 


Mark the checkbox for Remember Processing Options if appropriate. When this option is 
marked, you can select custom ingestion options for a specific attached device (in the right 
portion of the Add Evidence window], cancel and close the case, then later reopen the case to 
find the processing options have been remembered in the Add Evidence window. 


For information about Microsoft Symbols Settings, see Adding a Memory File. 
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Search Options 


This section contains options for both Content searches and Index searches. The Deduplicate 
Hits Across Volume Shadow Copies option applies to Content keyword searches. For more 
information, see Content Keyword Searches. 


The Indexed Search Memory Size (MB] option relates to the amount of memory allocated to use 
by Inspector for indexing and index searches. The default setting allocates 2 GB (2048 MB) but 
can be increased or decreased. The minimum is 512 MB, the maximum is 100 GB. When Index 
Search Memory Size (MB) is changed, Inspector must be restarted for the new settings to take 
effect. Keep in mind, changing how much memory is allocated for Inspector may affect the 
overall performance of Inspector and any other software you are running on your system. 
Running Inspector processing options separately enhances performance. 


In the Embedded HTML Links section, you can mark or unmark the checkbox to Follow URL 
Links. 


Report Tab 


On the Preferences window, click Report. 


G Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Chat Message Report Format 


@ Conversation View 


O List View 


Censored Picture Caption 


Sensitive 


Tag Narrative Report Caption 


Narrative 


Create previews for tagged email (Will slow report generation) 


NOTE: Email previews will not be created if the 'Export' checkbox is not 
checked in the Report view 


You can choose the way SMS/MMS (chat) messages appear in the examiner report. The chat 
format preference has two settings. 


e Select Conversation View to display chats in the examiner report the same way they appear 
natively on an iOS or Android device screen. 
e Select List View to display chats in a list format. 
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To customize censored picture captions and tag narrative captions, type the desired caption text 
into the Censored Picture Caption and Tag Narrative Report Caption fields respectively. 


To enable email previews within reports, mark the Create previews for tagged email (Will slow 
report generation) checkbox. 


Export Tab 


On the Preferences window, click Export. 


Gi Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Tab Delimited Data Export - Use 


So id 
CSV Delimited Data Export - Use 
No Replacement v 
Exporting Files 
Export alternate data stream (ADS) with file content 
Dedupe Hard Links 
L01 Segment Size (MB) 
0 v 


You can specify default file export settings. You can select and export data from the Content pane 
to a delimited text file, but this process requires some preliminary data manipulation. If a data 
cell contains non-printing characters (tabs, carriage returns, or line feeds], a clean tab or line- 
delimited export fails unless these characters are replaced or "escaped" prior to export. 
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For a tab-delimited data export, these are the available data export settings. 


Tab CSV 


Description 


Delimited Delimited 


1 |Spaces Replaces all non-printing characters with spaces |v v 
2 | Escaped with X Replaces tabs with \t v v 
and \r Replaces both carriage returns and line feeds with 
\r 
3 | <TAB>, <EOL> Replaces tabs with <TAB> V V 
Replaces both carriage returns and line feeds with 
<EOL> 
4 | <TAB>, «CR», This option treats both types of end-of-line v v 
<LF> characters as separate entities. 


Replaces tabs with <TAB> 
Replaces carriage returns with <CR> 


Replaces line feeds with <LF> 


5|No Replacement | Does not replace non-printing characters v 


The Tab Delimited Data Export option is set to escape using Spaces by default, and the CSV 
delimited export option is set to not replace non-printing characters by default. These default 
settings work under most circumstances and should be used if you are unsure about which 
settings to choose. 


In the Exporting Files section, you can manage several options. 


NTFS files may contain alternate data streams (ADS). When exporting an NTFS file, if Export 
alternate data stream (ADS) with file content is selected, the ADS will be exported with the file. 


To export only unique files from a Time Machine backup, mark the checkbox for Dedupe Hard 
Links. 


Time Machine backups, including the backups stored on a Time Capsule, contain incremental 
backups of a macOS system. These backups are stored in the folder Backups.backupdb, which 
stores date/time folders for each backup. On Time Capsule, the Backups.backupdb folder is 
stored in a sparsebundle. Time Machine backups are incremental but use Hard Links to give the 
appearance of full backups in each date/time folder. Once the first backup is created, Time 
Machine creates Hard Links in subsequent date/time folders that serve as pointers to the 
original files. When the next backup is made, only the files that have changed are copied into the 
backup and Hard Links are created for files that are not changed. When Inspector processes a 
Time Machine backup, all the files and Hard Links are processed. Consequently, there can be 
millions of files and Hard Links in each Time Machine backup. When a folder is Exported from a 
Time Machine backup, the Hard Links are resolved, exporting the same file multiple times. 
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This is an Export from a Time Machine backup showing a Downloads folder. Notice the files from 
the first snapshot (2010-11-29-052336) are also exported in the second snapshot (2010-12-28- 


011524). 


= a E. 


1) Josh Bennett's MacBook 


@ Macintosh HD > fii Users > 


ed Go E=) 
> [M 2010-11-29-052336 » 
B 2010-12-28-015524 » 


© racer 


T > Im Desktop > fim Export > Ilii Backups.baci 


kupdt 


B Downloads 


> ^ (9 Users 


> Iii Josh Bennett's MacBook > Ill 2010-11-29-05233 


8 items, 37.28 GB available 


E josh 


cer > [Iii Users > II josh > Bi Downloads 


DS Store 
-localized 

[F] About Downloads.pdf 

& Adium 1.4.1.dmg 

& Firefox 3.6.dmg 

E photo1-1.jpg 

© photot.ipg 

WE pow54.jpg 


JE 


I Josh Bennett's MacBook 


lili Macintosh HD > $ Users > 


> E 2010-11-29-052336 » 
E 2010-12-28-015524 > 


T > ifii Desktop > Illi Export > Ilii Backu 


E Downloads 


> B Users 


» M Downloads 


josh > $ Downloads 


. DS_Store 
„localized 
EÈ 2011 winter workout.doc 
(E) About Downloads.pdf 
a Adium 1.4.1.dmg 
a Firefox 3.6.dmg 
@ photo1-1.jpg 
3 photot jpg 
4E powS54.jpg 
"B tesla-electric-car.jpg 
Ef The Tesla is...some car.doc 


When the same folder is exported with the Dedupe Hard Links option selected, the files that 
were Hard Links in the second Time Machine snapshot are not exported; only the new files are 


exported. 


E Downloads 
= 3 Een Cn ti Ez 
E Josh Bennett's MacBook > H 2010-11-29-052336 > © racer > E Users > E josh > _.DS_Store 
B 2010-12-28-015524 » localized 
[2) About Downloads.pdf 
& Adium 1.4.1.dmg 
& Firefox 3.6.dmg 
ZR photo1-1.jpa 
ES photot.jpg 
i pow54.jpg 
u 
@ Macintosh HD > B Users > $ > È Desktop > Ill ExportDeduped > Mm Bax ackupdb > $} Josh Bennett's MacBook > m > mu: m 
8 items, 37.28 GB available. 
E Downloads 
an % 
I^ Josh Bennett's MacBook > Mi 2010-11-29-052336 > [i racer > ^ P Users + josh > — |" Downloads + — EK 2011 winter workout.doc 
B 2010-12-28-015524 L 8X tesla-electric-car.jpg 
The Tesla is...some car.doc 
lii Macintosh HD > Bil Users > ® > Š Desktop > È ExportDeduped > Ml Backups.backupdb > IBI Josh B B [s] iij Users > BI josh > B o 


The L01 Segment Size (MB] field specifies the segment size for Logical Evidence Files. By 
default, the size is set to 0; this means that any data exported to Logical Evidence Files is not 
segmented. The other options are 100, 250, 500, 1000, 5000 and 10000 (MB). 
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Dialogs Tab 


On the Preferences window, click Dialogs. 


Gi Preferences x 


General Options Report Export Dialogs Templates Project VIC 


v| Show Metadata selection dialog when tagging a file 


V| Show deprecated hash set warning dialog 


Reset Tip Dialogs 


Resets all Inspector Tip dialogs to display when appropriate. 


During the course of using Inspector, you can choose to hide dialogs. To show these dialogs 
again, click Reset Tip Dialogs. 


During the course of using Inspector, you can unmark the Always show this dialog when tagging 
files checkbox. However, if a user did this, you can override it by marking the checkbox for Show 
Metadata selection dialog when tagging a file. This ensures Metadata selection dialog always 
appears. 


To force the deprecated hash set warning dialog to always appear, mark the checkbox for Show 
deprecated hash set warning dialog. 
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Templates Tab 


On the Preferences window, click Templates. 


Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Type Regular Significant 

bool a 
bytes 00 00 00 00 00 00 00 00 

datetime 00 00 00 00 00 00 00 00 

fileslack 00 00 00 00 00 00 00 00 

float 00 00 00 00 00 00 00 00 

int [ 00000000 |{ 00000000 __ 

long 00 00 00 00 00 00 00 00 

NoneType 00 00 00 00 00 00 00 00 

ramslack 00 00 00 00 00 00 00 00 

str 00 00 00 00 00 00 00 00 

unicode _| 00 00 00 00 00 00 00 00 M 


Back Color: |EOEOEO Eoo |{ ] 


Text Color, [000000 | {J [roo NN 


Reset bool to Default Reset All to Default 


This lets you modify the color coding for data types shown in hex templates. For more 
information, see Hex Templates and Data Structure View. 
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Project VIC Tab 


On the Preferences window, click Project VIC. 


Gi Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Project VIC Country Selection 
Country 
US-United States v 


Exporting Data Models 
Default category for all uncategorized pictures 


0 - Non-Pertinent M 


This tab provides setting selections for Project VIC Version 2.0 as well as older Project VIC 
versions and other data models. Project VIC Version 2.0 includes country data and corresponding 
category descriptions. Choose the appropriate country in the Country field under Project VIC 
Country Selection. These countries are available. 


e  CA-Canada 


e CH-Switzerland 
e DK-Denmark 


e  EE-Estonia 
e FR-France 
e NO-Norway 
e RO-Romania 
e SE-Sweden 


e UK-United Kingdom 
e US-United States 


You can continue support for older versions of Project VIC and other data models. Under 
Exporting Data Models, you can set a default category when exporting uncategorized images, 
videos, and thumbnails to a specific data model format. These are the supported formats. 


e Project VIC Version 1.1 
e Project VIC Version 1.2 
e Project VIC Version 1.3 
e Project VIC Version 2.0 
e BlueBear LACE 


e CAALL 
e S2] 
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System Preferences on Mac Computers 
These preferences should be set according to the user preferences. 
Language 


1. Click Apple » System Preferences. 
2. Click Language & Region (on older OSX computers, this is Language & Text). 
3. Select the appropriate default language and drag it to the top of the list. 


Region 


Different geographic locations treat date, time and numeric formats differently. In some parts of 
the world, dates are written with the day first, then the month and the year. In other parts of the 
world, the month is written first, then the day and the year. 


e |n Language & Region preferences, select the appropriate location in the Region field. 
Inspector displays the new date, time and numeric format settings according to the new 
setting. 


Date and Time 


1. Atthe top of the Preferences window, click Show All to return to the main System 
Preferences window 

2. Click Date & Time. 

3. Choose one of these actions. 


e To manually set the current time zone and date, click the Date & Time tab. 
e louse the automatic clock sync feature, click the Time Zone tab. 


000 Date & Time 
COA 


| Date & Time BINAE Clock | 


To select a time zone, click the map near your location and choose a city from the Closest City menu. 
You can also have the time zone change automatically, if possible, based on your current location. 


. | Set time zone automatically using current location 


E c Lo e ee 
aos Je , HR GERE 
Sg 3 B E 
T = k 2-4 
A Mn A 
g~n 1 P - 
V pp ME N Ee 
ina" N G T. » 
Cc, j TR ina 
4 wr PORTU MEUS 
^ y ! PU 
| 4 ý eae 
— i PU y 
1 LIE 
Time Zone: Central European Summer Time 
Closest City: |The Hague - Netherlands i, 
a’ Click the lock to prevent further changes. ? 
IRA E 
*." Cellebrite 97 


Version 10.4 Workspace Orientation 


Time Format 


The Clock preference is the most important setting because it determines how Inspector 
displays timestamps. 


1. Click the Clock tab to set the time format. 
2. Choose one of these options. 


e 24-hour format 
e 12-hour format with AM and PM displayed 
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System Settings on Windows 10 Computers 


One strategy concerning Time Zone configuration involves setting the Forensic System to UTC, 
no adjustment for daylight savings. Since Inspector will assume the same time zone as the 
Forensic System, this configuration may make sense. This strategy is of particular benefit if 
there are time zone discrepancies or if the evidentiary system traveled between time zones. The 
benefit comes in having a baseline date/time to work with; one that does not adjust based on 
location or date. Once a particular timeframe of relevance is determined, all time conversions 
can be calculated from that standard UTC baseline. 


Set Time Zone and Disable Daylight Savings Time 


1. In the Windows search box, type time zone. 

2. Click Change the time zone. 

The Date & time page of the Settings window appears. 

In the Time zone field, choose the appropriate time zone. 

Toggle Off the setting to Adjust for daylight saving time automatically. 
Below Related Settings, click Date, time, & regional formatting. 

On the Region page, choose the appropriate country or region. 


NIE E 


Disabling Windows AutoPlay 


The Windows AutoPlay function allows a computer to automatically start applications on 
removable and attachable media. Once a device (CD, iOS device, Android device, etc.) is attached, 
a category populates under Devices. The user can select a default action for each individual 
device and category. The best practice is to minimize the chance of automatic processes 
launching. 


1. In the Windows search box, type AutoPlay. 

2. Click AutoPlay settings. 
The AutoPlay page of the Settings window appears. 

3. Toggle off the setting to Use AutoPlay for all media and devices. 

4. Below Choose AutoPlay defaults, set both Removable drive and Memory card to Take no 
action or Ask me every time. 


Disabling AutoPlay creates a Registry key for the logged-in user at HKEY_USERS\<SID of Relevant 
User Account» |Software|MicrosoftWindows|CurrentVersion|Explorer|AutoplayHandlers. 


File Edit View Favorites Help 


The created key is named 


D isa b le A uto p L a y wit h a D WO R D Computer\HKEY_USERS\S-1-5-21-2628137359-3392807454-1507701342-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers 
. E cop ^ || Name Type Data 
(32-bit) value of 1. Therefore, you des (Defaut)  REGSZ — 
Gio lüisableAutoplay REG DWORD 0x00000001 (1) 
Lu fi th F CloudStore 
can manua y contl g ure e 7 ContentDeliveryManager - 
i i . . M Controis Folder (WONG A Edit DWORD (32-bit) Value x 
setting in the Registry editor. B. Disanostis uem 
E DIFxApp = 
v T Explorer DisableAutoplay 
T Accent Value data: Base 
T Advanced @ Hexadecimal 
^ AppContract CiDscimal 
v . AutoplayHandlers 
| EventHandlers 
. EventHandlersDefaultSelection Sones! 
^ Handlers 
7 UserChosenExecuteHandlers v 
< sig > 
+ 
ere . 
e 
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Disable Search Indexing 


T. 


In the Windows Search box, type Services. 
2. ForServices, click Run as administrator. 
The Services window appears. 


Workspace Orientation 


qb Services 


File Action View Help 


% Services (Local) 


Description: 
Provides content indexing, property 


#9\m Oe88\Em > aun 


Windows Search Name Description 

© Windows Push Notifications... This service r.~ 
© Windows Push Notifications... This service .. 
caching, and search results for files, e- “Windows PushTolnstall Servi. Provides infr. 


mail, and other content. @ Windows Remote Managem... Windows Re... 
a Windows Search Provides con... 
©, Windows Security Service Windows Se... 
‘© Windows Time Maintains d.. 
Ü; Windows Update Enables the ... 


‘©, Windows Update Medic Ser.. Enables rem... 


E^ WinHTTP Web Proxy Auto-D.. WinHTTP im... 
Ü} Wired AutoConfig The Wired A.. 
IQ WLAN AutoConfig The WLANS... 
X. WMI Performance Adapter Provides per... 
WS Wee Enel Thic cansion 

< 


Status 
Running 
Running 


Running 


Running 


Running 


Running 


Running 


Startup Type Loc 
Automatic 
Automatic 
Manual (Trigg... Loc 
Manual 
Automatic (De... Loc 
Manual 
Manual (Trigg... Loc 
Manual (Trigg... Loc 
Manual 
Manual 
Manual 
Automatic 
Manual 


Extended / Standard / 


3. Right-click the Startup Type value, click Properties, and then click Stop. 
In the Startup type field, click Disabled. 


4. 


5: 


100 


Click Apply. 


Windows Search Properties (Local Computer) x 


General LogOn Recovery Dependencies 
Service name: — WSearch 
Display name: Windows Search 


Description: Provides content indexing, property caching, and 
‘search results for files, e-mail, and other content. 


Path to executable: 
C:\Windows\system32\SearchIndexer.exe /Embedding 


Startup type: 
Automatic (Delayed Start) 
Automatic 
-| Manual 
Service status: DN 
Start Stop Pause Resume 


You can specify the start parameters that apply when you start the service 
from here. 


paramete 
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Managing Case Evidence 


This chapter provides these topics about managing case evidence. 


e Create a New Case 

e Open a Case 

e Adding Evidence to a Case 

e Remove Evidence from a Case 

e Move a Case File to a Different Computer 
e Relocating a Disk Image 

e Exporting Mobile Device Evidence 

e Hashing and Verifying Forensic Evidence 
e Advanced Evidence Recovery 


e File Entropy 


Create a New Case 


Launch Inspector, or if Inspector is already running, click Window > Cases Window. The 
Inspector Case Manager window appears. 


File Edit Action Tags View Manage Window Help 


[t Z ea 
*. Cellebrite 2c Inspector 10.3 


Case Creation Date Modified Date 


= Bennet first.inspector 


©  ChUsersiheidicases Bennet first.inspector\ 


testtempl: H 


plates.inspector 120220 bbtbl_4b2287d5a689 
[SR cUsers\heiai\cases\testtemplates.inspector 


T- 2021-03-08 153942 2021-03-08 154810 


first.inspector postgres12700 . 2021-03-03 1523112 2021-03-08 155139 
CNUsershheidi Documents Product documentation Inspectonifirstinspector 


Tech Pubs.insy 


r postgres@_ 2021-03-05 155741 2021-03-05 160138 
[SR cUsersineidDocuments\ Product documentation\inspector\Tech Pubs.inspecton 


Rey Second Inspector Case.i r 2021-03-05 153523 2021-03-05 153745 
C:\Users\heidi\Documents\1Product documentation nspector'Second Inspector Case.inspector\ 


New... Open Other... Remove Cancel 


To create a new case, click New. In the Save dialog box, navigate to the location where case files 
are saved, and then click Save to save the new case and begin working with Inspector. 


On Windows computers, an Inspector case can be mapped to a volume letter of your choice, thus 
avoiding the file path character limit of Windows. Inspector defaults to the next available drive 
letter, but you can choose the drive you prefer by clicking Manage » Drive Mappings. After you 
map the case to a drive letter, close the case and then open the Case Manager window. Click 
Open Other and locate the case you just mapped. 


When you open a case file, the Case Info view appears. You can provide information about the 
examiner and the case here. You can change or add to this information any time during an 
examination. 
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The Examiner Information fields retain the information you provide; you don't need to provide 
this information each time you create a case. 


Because each case is unique, you must provide the case number, case name, and synopsis for 
each case in the Case Information fields. 


File Edi Action Tags View Manage Window Help 


Case Information 
Number [B1 


CoA Name: | Bennet first 


Synopsis [This isthe synopsis 


5 INDEX SEARCHES 
INVESTIGATIVE NOTES 


Field Value 


Case Time Zone Display 


TimeZone: [UTC S| Example: 2021-03-09 0402:46 (UTC) @ 


[20210304.231045-5abde03 — 


Inspector detects if it has not been updated recently and notifies you when an update is available, 
with links that provide access to necessary updates. 


Inspector Time Zone Settings 


In the bottom left corner of the Case Info window, you may select a time zone in the Time Zone 
field. This determines the time zone used by evidence timestamps in the Case Window and in the 
examiner report. 


By default, Inspector displays timestamps as Coordinated Universal Time [UTC]. Dates and times 
are displayed with the selected time zone appearing in parentheses, for example: 2009-12-19 
19:34:51 (PST). Inspector makes automatic adjustments for daylight savings time shifts for 
different parts of the world. You don't need to make any manual changes. 


After case information is complete, you can begin adding evidence to the case file. 
On a Mac computer, an Inspector case file is actually a package file. 
On a Windows computer, an Inspector case is a folder. 


All case elements are stored in this folder or package file, so a case file can grow rather large 
depending on how big a case is. Before you create a new case, make sure there is plenty of 
storage space on the working hard drive. 
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Open a Case 


Launch Inspector, or if Inspector is already running, click Window » Cases Window. The 
Inspector Case Manager window appears. 


File Edit Action Tags View Manage Window Help 


E 
$^. A Digital intelli 
*. Cellebrite 253 Inspector 10.3 


Case Creation Date Modified Date 


testtemplates.inspector postgresG12700:120220 bbtbL4b228745358974349db7 2021-03-08 15:3942 2021-03-08 154810 
C\Users\heidi\cases\testtemplates.inspecton 


first.inspector postgres12700 . 2021-03-03 1523112 2021-03-08 155139 
:\Users\heidi\Documents\1Product documentation Inspectonifirstinspector 


Tech Pubs.inspector postgres@_ 2021-03-05 155741 2021-03-05 160138 
C:\Users\heidi\Documents\1Product documentation\Inspector\Tech Pubs.inspector\ 


(=) 


Second Inspector Case.inspector 2021-03-05 153523 2021-03-05 153745 
[S .\users\neidi\Documents\1Product documentation\inspector\Second Inspector Case.inspector\ 
New... Open Other... Remove Cancel 


The Inspector Case Manager window shows a list of recently opened cases. To open a case file, 
select the case and click Open. To reopen a case after it has been removed from the recent case 
list, click Open Other, navigate to the case file, and then click Open. You can open a case located 
anywhere in the file system. 


e On Windows computers, double-click the case file in File Manager. 


e On Mac computers, double-click the case file in Finder. You can also drag a case file 
from Finder onto the Inspector Case Manager window to add it to the recent case list. 


If the case list becomes too long, you can remove items from the list. Open the context menu 
from a case, and then click Delete from recent item list. You can also select a case and press 
DELETE. This removes the case from the list but does not delete the case file itself. To see the 
location of a case file in the file system, open the context menu from the case, and then click 
Reveal on Disk. 


Update a Case to Work in a Newer Version of Inspector 


If you open a case that was created using a version of Inspector that is older than the version 
currently running on your computer, this message appears: The case document is out of 
date. Would you like to update the document now? Click Update to update the case file. 
You can click Cancel to continue working with the case file without updating it, but this is not 
recommended. 


Case files created in older versions of Inspector sometimes cannot be updated to the newest 
version. 


Updating a case file does not automatically run any processing or analysis. To take advantage of 
new or enhanced processing or features, you must re-examine case data. 
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1. Archive the case file in the older version of Inspector. 
2. Import the archived case into the newer version of Inspector. 
3. Reprocess the evidence in the newer version of Inspector. 
This ensures that all functions and features of the newer version of Inspector are used to 


analyze the data. 


Adding Evidence to a Case 


These types of evidence can be ingested into a case in Inspector. 


Evidence Types 


Disk Image 


Description 


A forensic image. Inspector supports dd, dmg, sparse images/bundles, vmdk, 
E01, Ex01, L01, AFF4, and SMART image formats. Use this option to add iOS 
images created by: JZ, iXAM, Cellebrite, MPE+, and ElcomSoft. 


Selected Image File 


A selected image file or virtual machine file is an evidence item in the 
Component list [available only when an image file or VM file is selected) 


Unencrypted or 
Encrypted iOS Disk 
mage 


iOS Backup 


An unencrypted iOS disk image, or a forensically-acquired third-party iOS disk 
image with proprietary encryption enabled (for example, Cellebrite, Lantern Lite, 
etc.) 


An iOS device [such as iPhone or iPad] backup folder 


Memory (Dump, 
mage, File] 


USB Attached Mobile 
Device 


A Windows memory [RAM] file. Inspector supports raw, hiberfil.sys (Hibernation 
file, from Windows Vista through Windows 10 v1703], pagefile.sys, and crash 
dumps (full, from Windows Vista or Windows 7). 


A mounted iOS device (iPod, iPhone or iPad], or Android device 


Other Attached 
Device 


A mounted device such as a .dmg image, a Time Machine, an external FireWire 
or USB drive, or a mounted .E01 file (EWMounter) 


Mobilyze Case 


A case from Mobilyze, Cellebrite's mobile device triage tool 


Folder 


A folder and the folder's contents 


File 


An individual non-disk image file 


Berla Inspector .ivx 
Database 


iCLoud Production 
Files from Apple 


A database exported from Berla iVe Desktop using the Cellebrite export option 


iCloud zip archives extracted from encrypted GPG files containing iCloud device 
backups within. These files can be obtained from Apple with a valid search 
warrant. 
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You can add disk image files, folders, iOS backups, and other external files by dragging and 
dropping them from the source (Finder, external device, etc.) onto the Evidence section of the 
Component list. Inspector imports these image formats. 


Disk Image Formats Creation Program 
RAW Image (DD) Most Forensic Programs 
Disk Image (DMG) Digital Collector, Converted DD images 
EnCase (EWF-E01), (EWF-L01]), (EWF2-EXO01) EnCase (all versions], FTK Imager 
SMART (EWF-S01] ASR Smart 


Virtual Machine Disks (VMDK) including for Windows 10 VMware 


Advanced Forensic File Format (AFF4) Digital Collector 


iOS Image Formats Vendor 


Cellebrite UFED PA (1.1.7.8 and higher) Physical Images Cellebrite 


Premium CAIS extractions (.dar format) Cellebrite 


Cellebrite Logical Images created via Method 1 (iOS backup | Cellebrite 
archive] 
Cellebrite Logical Images created via Method 2 (logical Cellebrite 


filesystem dump] 


GrayKey Grayshift 

iOS Forensic Toolkit (1.04 and higher] ElcomSoft 

iPhone-Dataprotect / Lantern Lite http://code.google.com / Katana Forensics 
JZ [all versions] Jonathan Zdziarski Tools 

iXAM (2.3.9 and higher] Forensic Telecommunications Services 
MPE+ (4.0 and higher} Physical Images AccessData 


Inspector allows multi-core processing during device acquisition to speed up parsing, paths, file 
types, picture, video, and metadata processing. You can change this setting on the Options tab in 
the Preferences window. For more information, see Inspector Preferences or Options. 
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Both types of acquisitions must be authenticated or “hashed” to confirm the copy is identical to 
the original. 


A forensic image [.dmg) is identical to the disk or device from which it was acquired and includes 
allocated, unallocated, and free space. It is a is a bit-by-bit representation of the entire physical 
drive or device. A .dmg disk image acts like a hard drive, but it is actually a single file. It can be 
resized using an application such as Apple's Disk Utility application. 


A sparse image (.sparseimage] is also a single file, but it becomes larger as additional data is 
added to it. A sparse image is a logical representation of the logical data copied to it. 


A sparse bundle is a bundle (like a folder] that contains several individual files. A sparse bundle 
is also a logical representation of the logical data that has been copied to it. 


Supported File Systems 


Inspector's filesystem parsers include parsers for the Apple File System (APFS), HFS+/HFSX 
filesystem, FAT filesystems (FAT12/FAT16/FAT32], and NTFS filesystem. Inspector will allow 

ingestion and parsing of other filesystems however, support is currently experimental as they 
have not been fully tested within Inspector. 


Experimental filesystem parsers: exFAT, EXT2, EXT3, EXTA, UFS, YAFFS2, ISO 9660. 


Add Evidence Items 


You can add evidence files to a case in Inspector from the Component list by dragging and 
dropping, or from the File menu. 


e Click File > Add Evidence. 
e Inthe Evidence section of the Component list, click Add. 


The Add Evidence window appears with all appropriate options for data ingestion. Inspector 
automatically scans for attached or mounted live devices, including attached and unlocked 
mobile devices, for display in the upper left under Attached/Mounted Devices. Attached disks or 
volumes are hidden by default, but you can see or hide them by clicking Show or Hide. Below 
that are any files, folders, memory images, and disk images that are potentially being added to 
the case. (Each item has a checkbox that can be selected or deselected. The item will only be 
included in the ingestion process if the item's checkbox is activated.] To remove an item from 
this list, open Inspector's context menu from the item and click Remove. To add an item to the 
list, click Add, then choose the appropriate disk image, folder, or file. 
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It is possible to add multiple items to a case at the same time. Select each item for processing 
and choose the desired ingestion options. 


Click Refresh at the bottom of the window, and Inspector once again scans for attached or 
mounted live devices, including attached and unlocked mobile devices, and displays them in the 


Add Evidence. 
Attached Mauxmce Unies IEEE semnetcomputerz00520 £01 (EWFimage) Processing Options: 
Evidence ID: | Bennett-Computer-200520.£01 - 001 Bj Bennett-Computer-200520 E01 (EWFImage) 
OPreview @ Triage O Comprehensive 
O mProtective mar 
512 Bytes ^ 
D] M Primer GPT Header EIR = 
512 Bytes DB Recovery 
Primary GPT Table 
o a File Signature Analysis 
O mlnaliocated Ci Picture Analysis z 
30KB 
m [EF System Partition (FAT32) [Video Analysis |] 
aida [ Process Archives 
; Racer - Data (APFS) 
T3765 [C Process OCR Image Text 
s gg Snapshots: Racer- Data (APFS) [E] Calculate Hashes - 
[0 Selected, 4 Unselected, 0 Processed] 
31 Preboot (APES) Identify Known Files AE 
J = 
27.1 MB mW 
<5) Recovery (APFS) 
Z 
= 500.7 MB [File System Journal Analysis 
[3] VM (APFS) C1 Spotlight Parsing 
BS Za ps 
ij Racer PFS) [0S Event / Security Logs. 
Ue [C Smart Indexing. 
[poo Unsllocated (APFS) 
145GB CI Content Search (Bulk extraction) 
ijj Basic data partition (NTFS) [Mail Parsing 
524GB 
" P VSCs: Basic data partition (NTFS) Laan ert 
[0 Selected, 2 Unselected, 0 Processed] | Manage Passwords.. 
Unallocated 
No Templates 
B ONIS B 
Refresh || Remove 1 of 1 selected Cancel Start 


When an item is selected in the left pane, all its partitions are displayed in the middle pane. 
Partitions with recognized file systems display with activated checkboxes by default, while 
partitions with non-recognized file systems do not have activated checkboxes. APFS Snapshots 
and Windows Volume Shadow Copies (VSCs) are also displayed in the middle pane with an 
expansion arrow. Underneath each Snapshot and VSC entry is a label indicating the number of 
Snapshots or VSCs Selected, Unselected and Processed. By default, none of the Snapshots and 
VSCs are selected for processing. Like all other volumes listed, different processing options can 
be set for each individual Snap and VSC. Keep in mind, processing all Snapshots and VSCs will 
take time. They do not have to be ingested during initial evidence processing. 


If you mark the checkbox for a partition with a non-recognized file system, Carve Unallocated 
then becomes an available option for that partition. 


Any partition with a recognized file system may also be imported as unallocated. Open 
Inspector's context menu from the partition and click Import Partition as Unallocated. The 
Carve Unallocated option becomes available for that partition. 


Attached disks in the left pane can also be imported as unallocated in the same fashion. Open 
Inspector's context menu from the item and click Import as Unallocated. 
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Note: If the item is a partition with a recognized file system that is currently set for adding to the - 
case as unallocated, Import Partition Normally is an available option in the context menu. 


If you click Add and select a memory file to add to a case, Inspector usually recognizes it as a 
memory file. However, some memory files are so complex that Inspector cannot instantly 
determine whether they are memory images. If Inspector is unable to verify a memory file within 
10 seconds, the item is displayed as a plain file. You may override this interpretation and tell 
Inspector to ingest the item as a memory file. Open Inspector's context menu from the item and 
click Memory (Dump, Image, File). 


Passware is integrated into Inspector. Images with these types of full disk encryption can be 
decrypted with the proper decryption credentials. 


e BitLocker 
e = FileVault 2 
e LUKS (Linux Unified Key Setup] 
e TrueCrypt 
e VeraCrypt 


When an image file using one of these encryption types is added to Inspector, it is identified as a 
locked partition. 


Add Evidence 


[ show | BBSFSLOO1_withBitlocker.£01 (EWFImage) 


Evidence ID: B8SFSL001 withBitiocker.£01 - 00 


ages 
= Æ BBSFSLOO1_withBitlocker.E01 


Process OCR Image Text 


E calculate Hashes 
NTFS Identify Known Files 


File Carving 
Unallocated 


Hiberfil.sys / Pagefile.sys 


Calculate File Entropy 


Manage Passwords. 


Refresh Remove 1of1 selected Cancel Start 


When the locked volume is selected, the Volume Encryption Password Needed dialog box 
appears. 


e BitLocker requires either the password or recovery key for decryption. 

e FileVault 2 requires a user login password. 

e LUKS requires the password or recovery key. 

e TrueCrypt and VeraCrypt volumes, select the encryption type, and then type the password. A 
VeraCrypt volume may also require the optional PIM (personal iterations multiplier]. 
VeraCrypt may take several minutes to validate the password. 
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Volume Encryption Password Needed 


BBSFSLOO! withBitlocker.EO1 


Specify encryption type and password for unlocking the encrypted volume. 


If the volume is not encrypted, select the "Not Encrypted" type. 


Type: Encrypted 


Password: | 


Cancel Confirm 


Once the volume is unlocked, choose the processing options. The decrypted data will be 
displayed in Inspector. 


With an item in the left pane selected, the middle pane shows an Evidence ID field where you can 
edit the evidence ID for the item. 


You can also perform these tasks from the Add Evidence window. 


e Recover a deleted or missing partition. 
e Specify disk sector size for a disk or partition. 
e Create an .iso disk image file from a partition. 


For more information, see Advanced Evidence Recovery. 


The Add Evidence window has these quick processing options for ingestion. 


e Preview deselects all options. 

e Triage lets Inspector automatically select only some of the options. These depend on the type 
of items selected. 

e Comprehensive selects all options. 
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You can also manually select processing options for ingestion for each item or volume, 
Snapshot, or VSC remain so that each piece of evidence is processed in only the manner you 


choose. 


Processing Options: 
e Racer (APFS) 
OPreview O Triage O Comprehensive 


[7] Extract Data 


[IZ] DB Recovery 


M] File Signature Analysis 


[B] Picture Analysis 
[m] Video Analysis 


M Process Archives 


M Process OCR Image Text 


[E] Calculate Hashes 


Identify Known Files y 


File Carving 


File System Journal Analysis 


M Spotlight Parsing 


(105 Event / Security Logs 


[ ] Smart Indexing 


Content Search (Bulk extraction) 


(Mail Parsing 


C Activity Correlation 


iCloud Backups 


MHiberfil.sys / Pagefile.sys 


@ Quick Scan O Deep Scan 


Manage Passwords... 


No Templates 


If an item is selected in the left pane while you change ingestion 
options in the right pane, those options apply to all partitions in 
the middle pane. However, selecting a partition in the middle 
pane allows you to change ingestion options for just that 
partition, if desired. 


A black square in checkbox reflects an indeterminate value, 
meaning that some, but not all, of the sub-options for that 
selection are activated. For example, if you mark the Calculate 
Hashes checkbox, you see a checkmark. However, when the 
corresponding ellipsis button is selected and only the MD5 sub- 
option is chosen, the Calculate Hashes checkbox shows a black 
square, for an indeterminate value. The same concept applies to 
the left pane of the Add Evidence window. If only some partitions 
for an evidence item are selected for import, the left content 
pane will show an indeterminate value for the item rather than a 
checkmark. 


You can select custom processing options for a specific 
attached device and have them remembered. This lets you close 
the case and open it later in the Add Evidence window without 
having to select processing options again. You can change this 
setting on the Options tab in the Preferences window. For more 
information, see Inspector Preferences or Options. 


You may also use saved ingestion option templates. Choose the 
appropriate template in the Saved Templates field in the lower 


right of the Add Evidence window, and the ingestion options immediately update to reflect the 
saved template settings. For more information, see File Menu. 
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Adding a Disk Image 


The process for adding a disk image is begun the same way as for adding any form of evidence to 
an Inspector case. For more information, see Adding Evidence to a Case. Additional information 
about ingestion/processing options appears below. 


In the Ingestion Options section of the Add Evidence window, mark the checkbox for the 
appropriate options. 


Description 


Extract Data 


Inspector's internal processes for populating data in the Actionable Intel, 
Communication, Locations, Internet, Productivity, and System tabs. 


DB Recovery 


Recovers deleted entries from databases 


File Signature 
Analysis 


Picture Analysis 


Compare file headers to file extensions to see if they match [populates Content 
Extension field) 


Identify pictures using signature analysis, options include running Image Analyzer 
against pictures identified for selected threat categories 


Video Analysis 


Parse videos and split them into sixteen frame sequences (4 x 4] to allow Inspector 
gallery view and % skin tone analysis, options include running Image Analyzer 
against the sixteen frame sequences created for each video identified for selected 
threat categories 


Process Archives 


Process OCR 
Image Text 


All archive files (zip, gz, 7z, tar, and rar) are expanded down to two levels of nested 
archives 


Process image (picture) files to extract text. Optical character recognition [OCR] 
converts text detected in the image into plain text which can be indexed and then 


searched. This process can be slow and is limited to these image types. 
e pdf 

e tif 

e bmp 

* png 

e jpg 

e gi 


Calculate Hashes 


Identify Known 
Files 


Hash all files using MD5, SHA-1 and SHA-256 algorithms 


Identify known file types using Known File Hash (KFH) databases 


File Carving* 


Recover or attempt to recover deleted files based on defined File Signatures 


File System 
Journal Analysis 


Process $USNJRL and $LogFile files in Windows and macOS .fsevents (results are 
displayed in the System tab in the System Logs sub-view] 
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Option Description 


Spotlight Parsing 


macOS Spotlight extended attribute data parsing 


OS Event / Security 
Logs 


Windows EVT/EVTX analysis, macOS ASL logs, and macOS Unified Logs (results are 
displayed in the System tab in the System Logs sub-view] 


Smart Indexing 


Content Search 
(Bulk Extraction] 


Create a Smart Index of processed allocated data 


Runs built-in searches against memory files 


Mail Parsing 


Processes Apple Mail, Outlook mail files 


Activity Correlation 


iCloud Backups** 


Identifies correlated events done by the system, by a user, or by device. 


Processes iOS device backups from decrypted iCloud Production files (obtained via 
search warrants from Apple] 


Hiberfil.sys / 
Pagefile.sys 


Processes Windows memory hibernation file and pagefile. If hiberfil.sys and 
pagefile.sys files are located, Inspector processes them as separate Evidence items 
within the Component list. 


Calculate File 


Determines possible encryption level of files 


Entropy 
Manage Enter a password, list of passwords, or import a file containing passwords (UTF-8 
Passwords*** encoded, one per line), to unlock and parse Apple keychains on macOS or iOS 


devices 


*This option will be seen as Carve Unallocated if importing an item as unallocated. 


** This option is only available when ingesting data from iCloud production files. For more 
information, see Adding iCloud Productions. 


***Inspector will only attempt to unlock Apple keychains with the passwords entered during 
initial evidence ingestion. For more information, see Actionable Intel View. 
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These ingestion options have corresponding ellipsis buttons providing additional options. 


e Extract Data: the Manage Data Extraction window lists all items that are normalized 

e Picture Analysis: the Media Analysis window provides options for standard picture 
processing and image classification categories provided by Image Analyzer 

e Video Analysis: the Media Analysis window provides options for standard video processing 
and image classification categories provided by Image Analyzer 

e Calculate Hash: the Hash Types window lists the three hash algorithms available in 
Inspector for file hashing (MD5, SHA1, and SHA256) 

e Identify Known Files: the Hash Sets window allows the examiner to choose which hash sets 
Inspector should user to identify known and notable file types 

e File Carving: the File Signature Management window shows the defined file signatures used 


for file carving 


Extract Data refers to the internal Inspector 


[9] Manage Data Extraction 
processes used to generate the data displayed 
in the Actionable Intel, Communication, Applications 
Locations, Internet, Productivity, and System — nS 
tabs, with the exception of Windows registry ceed 
s : i eanup 
files in the System tab. Registry files are Contacte 
D " $ s evice Into 
parsed with filesystem parsing. Examiners can Facebook 
choose to limit which data extraction bises 
processes are run by deselecting options in the ocu 
Manage Data Extraction window, focusing on iube 
. . . nternet Logs 
the data pertinent to the examination. In the JumpiLists 
bottom left corner of the Manage Data Line 
Linkedin 


Extraction window, click Uncheck All. Then 


select only the desired processes and click OK. 


secscssssssssssassssssssssssssssassssssssssssss 


Location Details 
Location Services 
Maps 

Media 

Memory 

Notes 

OoVoo 

Phone Calls 
Recents 

Shared File List 
Skype 

SMS 

System Dictionary 
Tango 

Textfree 
TextPlus 

Top Contacts 
Tumblr 

Twitter 

UFED Android 
VK 

Voice Memos 


Voicemails 

WeChat 

WhatsApp 

Wifi 

Windows LNK 

Uncheck All Cancel mmi 2 

octet . 
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Standard Picture and Video processing populates the Media tab. The Image Analyzer 
classification categories include: Alcohol, Chat, Child Sexual Abuse Material (CSAM], Currency, 
ID/CreditCards, Document, Drugs, Extremism, Gambling, Gore, Porn, Swim/Underwear, 
Vehicles, and Weapons. Examiners can choose to run any or all of these categories against 
pictures and videos. Classification of videos is determined using the Inspector-generated 16 
image (4 x 4) mosaic containing still frames from the video. By default, Inspector runs only 
standard picture and video processing. For additional image categorization, click on the ellipse 
button. On the lower left side of the Media Analysis window, click Check All to classify with all 
available classification categories. Otherwise, select only the desired categories. Click OK once 
the desired options are selected. 


@ Media Analysis — o 


Vehicles 
Chat 
ID/CreditCards 
Document 
Currency 
CSAM 
Alcohol 
Drugs 
Extremism 
Gambling 
Gore 

Porn 


Ogg 


100 


Check All Cancel 
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To help identify known files, Inspector ships with the Known OS X System Files, Known Windows 
System Files, and the Hashkeeper hash sets. Additionally, Inspector recognizes Encase (6.19 and 
lower], NSRL (full), and Inspector (.blhs) hash set formats. Inspector also imports hash sets 
saved as text files as long as the file contains one hash value per line with each line separated by 
a carriage return. Hash sets can be created from files in a case using any or all of the available 
hash types (MD5, SHA-1, SHA-256). Custom hash sets created in Inspector are automatically 
saved in the .blhs format and are available for use in all Inspector cases. The Calculate Hashes 
ingestion option must be selected for Identify Known Files to work. By default, hash comparisons 


are performed using MD5 hash values. You can change this default. For more information, see 
Inspector Preferences or Options. 


Hash Sets 


Identify files from the following Hash Sets: 


Hash Set Status 
Known Windows System Files 
Hashkeeper 2.0 (Known CP) 
Hashkeeper 2.0 (Suspected CP) 
Known OS X System Files 
Uncheck All Cancel 


When File Carving, by default Inspector attempts to recover all listed file types. This may take 
some time. In the ingestion options, if activating the File Carving checkbox (or Carve Unallocated 
if importing an item as unallocated), select the corresponding ellipsis button for further options. 
A separate File Signature Management window opens. Here the examiner may specify the 


unallocated file types to include in the recovery attempt. For more information, see Advanced 
Evidence Recovery. 
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Below the Frequency column in the File Signature Management window, click Uncheck All. To 
the left of a file type group, select the disclosure triangle to reveal individual file types within the 
group and select only file types of interest to shorten the processing time. For more information 
about a given file type, select the file type to highlight it, and the right half of the File Signature 
Management window displays a verbal file type description and a list of typical file headers and 
footers [if available) for the selected file type. 


File Signature Management 


Extensi Format [7 
- m m apane Use QuickDraw 3D Metafile 
> Audio Three-dimensional image format based on Apple QuickDraw 3D 

Cels (QD3D) technology; may be a 3D representation of an individual 
a ied ‘object or a complete three-dimensional scene; can be viewed 


» G File System from different angles with supporting 3D programs. 
v © Mi Pictures 
¥ 3DI 


QuickDraw 3D Metafile 
@ ^BC Micrografx ABC FlowCharter... Uncommon 
Al Adobe Illustrator File Very Common 


ART AOL Compressed Image File Common 
BLEND Blender 3D Data File Common 
BMP Device Independent Bitmap File Common 
CAL CALS Raster Graphic Common 
CAM CASIO Digital Camera Picture ... Rare 
CPT Corel Photo-Paint Document Common 
DCX Zsoft Multi-Page Paintbrush File Uncommon File Signature Information 
DPX Digital Picture Exchange File Common Header(s) Footer(s) 
© nw Drawing File Common 39444046 
EMF Enhanced Windows Metafile Common 
EPS Adobe Encapsulated PostScri.. Very Common 
GIF Graphical Interchange Format ... Very Common 
ICNS Mac OS X Icon Resource File — Very Common 
IMG GEM Image Rare 
JIF JPEG Image File Uncommon 
JP2 JPEG 2000 Core Image File Common 
JPG JPEG Image File Very Common 
MNG Multiple Network Graphic Common 
MSP Microsoft Paint Bitmap Image Common 
PBM Portable Bitmap Image Common 
m ocn Mariak Dhote ON Imana Fila Commen 
+ New Group Uncheck All Cancel 


An examiner may also create custom, user-defined file signature databases. Once created, these 
user-defined databases appear in the File Signature Management window, and an examiner may 
add additional file signatures to the database or remove existing signatures from the database 
directly from this window. By default, user-defined file signature databases are stored in the 
/Application Support/Cellebrite/Inspector/UASignatureDBs folder. For more information, see File 
Signature Databases. 


Inspector offers the capability of calculating byte stream entropy per file, which can aid in 
discerning between items that are more likely to be encrypted versus those which are not. 
Entropy values range from 0 to 1, with values closer to 1 denoting items that are more likely to 
be encrypted. To use this feature, select Calculate file entropy. After processing for file entropy 
on an evidence item, values are displayed under the Entropy column in the Browser and File 
Filter views. Entropy is available as a sortable column for display in the Browser and File Filter 
views. 


A bulk extraction tool is used to perform content searches on memory files, scanning the 
evidence file for key items of interest. For more information, see Bulk Extraction Searches on 


Memory Files. 
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With the release of macOS 10.15, increased system protection was added to macOS. macOS 
Catalina runs in a read-only system volume, separate from other files. When a system is 
upgraded to Catalina, a second volume is created, and some files may move to a Relocated 


Items folder. 


The boot volume was split into two pieces. On the Desktop it appears as one volume, but looking 


at it via Disk Utility, it is readily apparent there are two volumes: 


Internal 


MacSSD 


External 


Internal 
O MacssD 


BÀ macsso 


External 


A masso - 


Data 


Data 


Disk Utility 
99 (p 
First Aid Partition Erase Restore Unmount 
==  MacSSD 


APFS Volume + APFS (Encrypted) 


€ Used 88 Other Volumes 

10.97 GB 226.57 GB 
Mount Point: / 
Capacity 500.07 GB 
Available: 266.17 GB (3.66 GB purgeable) 
Used 10.97 GB 

Disk Utility 
LÀ (p 
First Aid Partition frase Restore 


7  MacSSD - Data 
FS Volume - APFS (Encrypted) 
Meanie 


© Other Volumes 
13.89 GB 


Mount Point: ISystem/Volumes/Data 
Capacity 500.07 GB 
Available: 266.17 GB (3.66 G8 purgeable) 
Used: 223.66 GB 


Type: 


Owners: 


Connection: 


Device: 


Type: 


Owners: 


Connection: 


Device: 


e 


500.07 GB 


APFS Volume 
Enabled 
SATA 


disk1s5 


© 


500.07 GB 


APFS Volume 


Enabled 


SATA 


disk1s1 


The volume name that appears on the Desktop appears In both volumes; the second volume has 
- Data appended to the volume name. For more information, see this topic provided by Apple: 
https://support.apple.com/en-us/HT210650. 


s$ 
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This structure can also be seen when the volume is processed in Inspector. This can first be 
seen when ingesting evidence with a macOS 10.15. 


Bennett-Computer-191230.E01 (EWFImage) 
Evidence ID: Bennett-Computer-191230.E01 - 001 


Protective MBR 
512 Bytes 


"n Primary GPT Header 
512 Bytes 


A Primary GPT Table 
16.0 KB 


Unallocated 
3.0 KB 


Ga EFI System Partition (FAT32) 
200.0 MB 


=) Racer - Data (APFS) 
=- 29.9 GB 


P5 Snapshots: Racer - Data (APFS) 
[0 Selected, 4 Unselected, O Processed] 


=) Preboot (APFS) 
== 234 MB 


>) Recovery (APFS) 
== 501.1 MB 


=) VM (APFS) 
== 1.0 GB 


>) Racer (APFS) 
== 10.3 GB 


ü Snapshots: Racer (APFS) 
[0 Selected, 4 Unselected, 0 Processed] 


n Unallocated (APFS) 
17.5 GB 


G Basic data partition (NTFS) 
52.4 GB 


F VSCs: Basic data partition (NTFS) 
[0 Selected, 2 Unselected, 0 Processed] 


n Unallocated 
472.0 KB 


This example shows a macOS system with the volume name Racer. Evidence processing options 
can be different for the two volumes and the associated APFS Snapshots. User files and data are 
stored on the «Volume Name» - Data volume. The system data is stored on the «Volume Name» 
volume and is mounted read-only when macOS is running. In addition, the system volume 
contains system .plist and database files, and system applications (pre-installed Apple 


applications). When choosing processing options keep this in mind. 
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Starting the Evidence Ingestion 


When finished with the options in the Add Evidence window, select the Start button to start the 
data ingestion. In the Component list select Evidence Status. Inspector begins ingesting and 
processing the data according to the options chosen. 


As soon as the file system is parsed, a check box will appear in the Component list for that 
evidence item. The examiner can then browse the evidence item in the Browser tab while the 
other processing options are finishing. 


Running or Rerunning Processing Options After Ingestion 


To run previously skipped file processing options at any time, in the Component list under 
Activity, select Evidence Status. A Run button appears for the processing options that have yet to 
execute. Click Run to execute the associated file processing option. Evidence processing status 
indicators appear in the Content pane. Status indicator labels display Preparing, Percentage 
Completed, and Finished as progress is made. 


An examiner can also run the hash set processor (Known Files) and the unallocated file recovery 
processor (File Carving) multiple times during a case. In the Component list under Activity, 
select Evidence Status. A Run button appears in the Content pane next to Known Files. When 
you click Run, the Hash Sets window appears. Select the desired hash sets to apply during 
processing and click OK. 


In the Content pane, a Rerun button appears next to File Carving for each volume or device, with 
the exception of APFS volumes. When you click Rerun, a warning dialog appears to alert the 
examiner that Inspector is temporarily removing the partition from the case and reprocessing 
the data. To proceed, click Reset in the warning dialog. For more information, see File System 
Information. 


Important: When you click Reset, tags associated with data contained on the partition are 
permanently removed from the case. 


Show Errors 


If an error occurs during the acquisition, an error badge li.e., exclamation mark within a triangle] 
appears in the Evidence list next to the device's name associated with the error. 


72 : 
Coram Relocate Evidence... 


ME Export Evidence File... Ie 
Y L4 Bennett_14-087-0301_3-B., 
A racer. backup Rename Drive... 
v ACTIVITY 


Remove from Timeline... 


m - 
Export Status Remove Evidence Item... 


lll Evidence Status 


Y CONTENT SEARCHES | ShowEmors. y 


| Dar Thaft Tarme mu—— 


From the error badge, open the context menu, and then click Show Errors. A window containing 
a list of errors that occurred during data processing appears. Click Save to File to save the error 
list to a text file. 
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Most data processing errors are benign, but an examiner should note these errors to preserve 
case integrity. FileSystemID conflict errors may indicate duplicate file creation caused by file 
system corruption. Inspector automatically resolves these and other common error types. In the 
Errors window, click Ignore to ignore an error. In the confirmation dialog box, click OK. The error 
badge is removed from the Evidence section in the Component list. 


An examiner may also perform an unallocated recovery on an entire disk if the acquisition or 
data parsing process fails entirely. 


Adding a Selected Image File on an Imported Evidence Item 


To add an image file located on an evidence item that is already in a case, select a device 
partition in the Component list, and on the toolbar click Details. In the Artifacts section at the 
lower right of the window, double-click on the Disk Images bar graph. Inspector switches to the 
File Filter view and displays a list of disk images. 


In the Content pane, select an image file to add to the case as a new evidence item. Click File » 
Add Selected. 


The Add Evidence window appears. Choose the processing options, then click Start. Inspector 
adds the image file to the case and the image appears as an item in the Evidence section of the 
Component list. 


Adding an iOS Disk Image or Backup 


As long as you have access to the necessary encryption credentials/files, Inspector ingests and 
processes unencrypted or encrypted iOS disk images as well as encrypted or unencrypted 10S 
backup folders. 


The process for adding 10S evidence is begun the same way as adding any form of evidence to an 
Inspector case. For more information, see Adding Evidence to a Case. 


Adding Unencrypted iOS Disk Images 


Use the Add Evidence window to import unencrypted bit-by-bit forensic iOS images (allocated, 
unallocated, and free space) acquired from iOS devices. Note however, that devices running iOS 
version 4.0 or higher are encrypted at the block level, and therefore full data recovery from 
unallocated space is not possible. Email cannot be retrieved. 


Inspector ingests the following unencrypted 10S disk image formats: 


e ElcomSoft 

e Celebrite 

e iXAM 

e MPE+ (Tarball image] 

e iPhone-Dataprotection & Lantern Lite 
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Adding Encrypted iOS Disk Images 


Some third-party iOS image acquisition tools do not create a decrypted disk image by default. 
Instead, the acquired bit-by-bit forensic image file remains in an encrypted state after 
acquisition, and a decryption key file that decrypts the image is included with the acquisition. 
However, some of these third-party tools do have a decrypted image acquisition option. If you 
select this option, a second unencrypted image is created during the acquisition process. 


Inspector imports encrypted third-party 10S forensic images. However, to conserve disk space, 
Inspector does not use the decryption key to create a second unencrypted image. Instead, 
Inspector uses the decryption key to decrypt the image on the fly as the image is imported. 


Inspector imports the following encrypted iOS disk image formats: 


e  Cellebrite (.ufd] 
e MPE+ (dd8 images that are not pin-locked) 
e iPhone DataProtect & Lantern Lite 


When adding an encrypted iOS forensic image to a case, the Open Decryption Key File window 
appears. Select the decryption key file and click Open. 


Inspector imports the encrypted disk image and uses the decryption key to decrypt the image on 
the fly as the image is imported. 


Adding iOS Backup Folders 


Inspector acquires logical data from an iOS backup file (i.e., iTunes backup). An iOS backup file 
may not contain current data, but data recently deleted from an iOS device may be recovered 
from a backup file. Therefore, acquiring data from this file can be important. Backup files do not 
contain applications (iOS version 4.0 and higher] music, movies, etc. 


To add an iOS backup folder to a case, navigate to the iOS backup folder and select only the top- 
level directory of the iOS backup. A device's top-level directory has a 40-character UDID name 
value and has other similarly named folders inside. 


Activate the checkbox for the iOS backup that is to be imported. If it is an encrypted backup, a 
lock icon will be displayed next to the backup name and the device will be deselected. Select the 
encrypted backup in the middle column, and a dialog window opens, prompting for the encrypted 
backup password that was in effect when the backup was made. Enter the password and click 
Confirm Password. Without the backup password, only ancillary data will be available for 
collection - media and some third-party application data. 


Inspector does not attempt to crack this password, however there are several third-party 
applications available that do. For more information, see this topic provided by Apple: 
http://support.apple.com/kb/ht4946. 
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In the middle portion of the Add Evidence window, an Evidence ID text box is shown, and this text 
box can be clicked and edited with an alphanumeric evidence ID for the iOS backup folder. 


Choose the desired ingestion options and click Start when ready to begin the import. 


Exporting and Importing iOS Backups from a Disk Image 


If an iOS backup is included in an evidence item [e.g., a disk image] that is already part of the 
Inspector case, the iOS backup can be exported and then imported into the case. Once imported 
into the case file, the iOS backup will appear as a separate evidence item in the Component list. 


Any available iOS backups contained in a selected evidence item can be found by navigating to 
the Actionable Intel view, then selecting Device Backups from the listed items. For more 
information, see Actionable Intel View. 
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Ingest GrayKey Images 


Inspector can ingest and process Graykey images. Doing this provides access to the data in the 
images through parsing, and it also allows full filesystem analysis. GrayKey images are supplied 


as zip files. 
è 1b1ce46edadab95d64c02814ba376c71e00a6301_files.zip 
1b1ce46edadab95d64c02814ba376c71e00a6301_keychain.plist 


B 4b1 ce46edadab95d64c02814ba376c71e00a6301_mem.zip 
1b1ce46edadab95d64c02814ba376c71e00a6301_passwords.txt 


You can add each of these to Inspector by dragging and dropping them onto your case, or you 
can click Add. 


When the Add Evidence window appears, choose the options and click Start. 


Attached Mounted Diska E 51f945480aafafbb96de45cO54bOcdfa...les full.zip (TariOSExtraction) Processing Options: 
Attached Mobila Davicsa. Evidence D: 51f945480aafafbb96de45c054b0cdfa53faa0e7 files fullzip [J] Sif945480aafafbb9G.. TariOSExtraction) 
Files / Folders / Disk Images [ + Add | i : " 
m = Model Version iPhone X (M...02, A1903) TCI Mage compra hensive: 
v E 51f945480aafatbb... files full.zip es esr 323 


Product Type iPhone103 v Extract Data 
Serial Number FITWKC33JCLF IDs Reeser 
v. File Signature Analysis 
Picture Analysis. 
Video Analysis. 
Process Archives 
Process OCR Image Text 
— Calculate Hashes 


Identify Known Files. 


File System Journal Analysis 
Spotlight Parsing 
OS Event / Security Logs. 


Smart Indexing 


Mail Parsing 


Activity Correlation, 


Calculate File Entropy 


Manage Passwords... 


Refresh Remove 1 of 1 selected Cancel Start 
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Inspector processes the GrayKey zip file just as if it were processing an iOS backup, except with 
much more data. This depends on which zip file you choose, since GrayKey provides these types. 


«name». files.zip contains the entire file system dump. 
«name» backup.zip is an iOS backup version. 
«name» mem.zip lets you choose whether to bring it in as a simple zip archive so you can see 


the contents, or as a folder so you can do a full bulk extraction on it to get evidentiary items 
like IP addresses, email addresses, and so on. 


B3 inspector Case,inspector 


Y EVIDENCE 


Y | Bl eennett-computer-20082, 


DO facer- pate 


BEI 
B © soorcaue 


© O Bomnent-mamamp 


T © me 


€ FG Testes iPhone 


v activity 
II Evidence Status 


© Export Status 


Taos 


CONTENT SEARCHES 


Y INDEX SEARCHES 


Q walking dead 


INVESTIOATIVE NOTES 


Field. Value 


ma 


> i HFS+ Private Directory Data 


> Applications 
> Dien 

> Gav 

> B Developer 
> B uoray 


Borie 


> Bisystem data. 


iex Eus) Preview 


Date Created 


2018-08-29 07:14:21 (UTC) 
2018-03-14 1218:15 (UTC) 
2018-03-14 12:37:51 (UTC) 
2018-03-14 128516 (UTC) 
2018-08-18 12:25:34 (UTC) 
2018-03-14 12:18:14 (UTC) 
2018-03-14 1224/58 (UTC) 
2018-03-14 12:24:58 (UTC) 
1970-01-01 00:00:00 (UTC) 
2018-03-14 12:19:01 (UTC) 
2018-03-14 12:18:59 (UTC) 
2018-03-14 12:24:57 (UTC) 
2018-03-14 12:24:57 (UTC) 
2018-03-14 12:24:57 (UTC) 
2018-04-26 18:038 (UTC) 
2018-05-30 18:34:27 (UTC) 
2018-04-25 18:10:14 (UTC) 
2018-04-26 18:08:37 (UTC) 
2018-06-25 18:08:97 (UTC) 
2018-04-25 18:08:39 (UTC) 
2018-04-25 18:08:37 (UTC) 
2018-04-26 18:08:37 (UTC) 


Date Modified 


2018-08-29 07321 (UTC) 
208-0" 


323835 (UTC) 
azves (UTC) 
208-03-14 12:18:16 (UTC) 
12:28:34 (UTC) 
01:23:27 (UTC) 
2019-11-14 05:14:07 (UTC) 
2018-03-14 12:24:58 (UTC) 
2019-05-05 20:08:36 (UTC) 
123901 (UTC) 
1219:09 (UTC) 
2018-04-25 18:09:00 (UTC) 


208 


2018-11-14 05:16:42 (UTC) 
2018-03-14 12:24:57 (UTC) 
2018-11-30 19:26:41 (UTC) 

2019-03-05 20:24:38 (UTC) 
20% 


3-05 20:24:38 (UTC) 
2018-10-20 03:58:51 (UTC) 
2018-10-20 03:58:51 (UTC) 
2019-05-05 20:25:04 (UTC) 
2019-03-05 20:16: (UTC) 
2018-10-20 03:58:51 (UTC) 


Date Accessed Date Added 
2018-08-20 07:14:21 (UTC) 
2018-03-14 12:18:15 (UTC) 
2018-03-14 12:17:51 (UTC) 
2018-03-14 12:16:38 (UTC) 
2019-03-14 12:26:34 (UTC) 
2018-03-14 12:18:14 (UTC) 
2018-03-14 12:24:58 (UTC) 
2018-03-14 12:24:58 (UTC) 
2019-03-05 20:08:36 (UTC) 
2018-03-14 12:19:01 (UTC) 
2018-03-14 12:18:59 (UTC) 
2018-03-14 12:28:57 (UTC) 
2018-03-14 12:28:57 (UTC) 
2018-03-14 12:24:57 (UTC) 
2018-10-20 03:59:12 (UTC) 
2012-05-30 16:34:27 (UTC) 
2018-04-26 1870-14 (UTC) 
2018-10-20 03:58:51 (UTC) 
2018-10-20 03:58:61 (UTC) 
2018-04-25 18:08:39 (UTC) 
2018-10-20 03:58:51 (UTC) 
2018-10-20 03:58:51 (UTC) 


E Metadata — Q Location 


A Record 


Versionindex Size Extension e 


oBytes 


[D 


Navigation through a GrayKey image looks just as if it came straight from the device itself. 


E inspector Case.inspector 


Y EVIDENCE 


Y CB Bennett-computer-20082.. 


B @ racer - in 
G O racer 
LZ @aoorcame 


© © Bomnett-Mem.dmp 


Zone 
ei 


v activity 
I Evidence Status 


© Export Status 
TAGS 
CONTENT SEARCHES 


Y INDEX SEARCHES 


Q walking dead 


INVESTIGATIVE NOTES. 


Field. Value 
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Tenisha's iPhone. 


ma 


Ð Service ^ Direction 
Phone & Outgoing 
J iPhone —— € Outgoing 
Phone —— Incoming 
J iPhone Y Incoming 
J iPhone — M incoming 
) iPhone —— X Outgoing 
J iPhone —— V Outgoing 
) Phone  & outgoing 
Phone Outgoing 
iPhone 3 incoming 
J Phone ^ V outgoing 
J iPhone —— € outgoing 
) iPhone —— M incoming 
) Phone Y Incoming 
J iPhone Y Incoming 
Phone —— M Incoming 
J Wechat — Y incoming 
Wechat 3 Incoming 
J wechat — M incoming 
IPhone —— M incoming 
Line Outgoing 
) Une 3 Incoming 
a 4 Ocio 
Eie =E sings 


Proview Œ Metadata 


Type Date ^ 
Phone 2016-10-10 15:50:24 (UTC) 

Phone 2016-10-11 15:37:42 (UTC) 

Phone 2017-03-07 17:04:38 (UTC) 
Phone 2017-03-07 17:25:15 (UTC) 

Phone 2017-03-07 17:25:36 (UTC) 
Phone 2017-03-08 2110:23 (UTC) 
Phone 2017-03-08 21:10:45 (UTC) 
Phone 2017-03-08 21:10:59 (UTC) 
Phone 2017-03-08 21:12:40 (UTC) 
Phone 2017-03-08 21:12:54 (UTC) 
Phone 2017-03-08 21:14:04 (UTC) 
Phone 2017-03-08 21:16:05 (UTC) 
Phone 2017-03-08 21:18:34 (UTC) 
Phone 2017-03-09 00:32:53 (UTC) 
Phone 2017-03-14 23:52:07 (UTC) 
Phone 2017-03-14 23:53:12 (UTC) 
sudiojvideo 2017-12-05 23:01:42 (UTC) 
aediojvideo 2017-12-05 23:03:51 (UTC) 
audiejvióeo 2017-12-05 28:10:08 (UTC) 
Phone 2018-01-10 20:07:52 (UTC) 
Audio 2018-02-22 00:02:49 (UTC) 
Audio 2018-02-22 17:01:07 (UTC) 

Men 2018-02-22 7:08:34 1UTE 


co Voicemail $ voice Memos Wr Favorites EJ Contacts E emaii E 
Contacts Duration (HH:MM:SS) status 
(510) 304-4762 000006 
Vickie © @ 6$ 3 © Chan ((408) 609. 00:00:03 
Nam Nguyen ( (408) 520-8302 ] 00:00:00 Missed 
Nam Nguyen ( (408) 520-8302 ] 005000 Missed 
Nam Nguyen ( (408) 620-8302 ) 00:00:00 Missed 
(408) 881-0546 00:00:10 
(408) 881-0546 00:00:01 
(408) 831-0546 000047 
(408) 831-0546 00:00:05 
(408) 831-0546 00:0013 
(aos) 831-0546 00:00:05 
(408) 831-0546 00:00:05 
(408) 831-0546 00:00:10 
Yosh Kato Nexus 5 ( (408) 382-9357) 00:003 
Vickie © @ Ws 39 Chan ( (408) 609... 00:00:00 Missed 
Vickie t5 W WW & Chan ( (408) 609-... 00:00:00 Missed 
becknotpeck (oid ygerjk21pt0922 ) vat. 
becknotpeck (wid ygerjk21910922 ) vial, 
becknotpeck ( waid vaerik21010922 ) vio 
(740) 880-6891 00:00:00 Missed 
Vish Khan 00:00:00 Cancelled 
Vish Khan 000039 
vish khan n0n24 

o 3 
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Adding a Memory File 


Every bit of data being created, viewed, or destroyed goes rum 

through RAM, including all web-browsing activity, editing of Qd EFI System Partition (FAT32) 
documents, viewing of pictures, sending and receiving of OPreview OTiage O Comprehensive 
network data, execution of applications, etc. Some types of 
artifacts only exist in RAM, and many types of ephemeral 
operating system artifacts are never stored to disk (e.g., what 
applications are currently running, what files and network 
connections are currently open, or what drivers are loaded]. 
RAM artifacts can potentially tell examiners if malware, anti- 
forensics tools, or encryption software was running, if the 


[7] Extract Data 


M DB Recovery 


[7] File Signature Analysis 


[ ] Picture Analysis 


Video Analysis 


[ ]Process Archives 


Process OCR Image Text 


machine had open network connections to known websites of i| Calculus Haches 
interest, and/or what picture files a viewer application had Identify Known Files A 
(0) pe [a [_] File Carving 


[ ]File System Journal Analysis 


An in-depth study of memory forensics is outside the scope of 
this manual. 


Spotlight Parsing 


OS Event / Security Logs 


L | Smart Indexing 


The process for adding a memory file is begun the same way 
as for adding any form of evidence to an Inspector case. 


[ | Content Search (Bulk extraction) 


Mail Parsing 


Activity Correlation 


For more information, see Adding Evidence to a Case. 


iCloud Backups 


Inspector automatically identifies a memory file and Mies / Pagetseny: 
Processing Options are adjusted. You can perform a Quick CR ROT LII 
Scan (default) or a Deep Scan. The Quick Scan option is faster deum EDO 


and searches the most likely locations. Deep Scan takes more 
processing time and searches in additional locations less 
likely to yield content. Menage Passwords.. 


No Templates 
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If attempting to add a hiberfil.sys (Hibernation) file, a separate window will open prompting for 

the Windows OS version that was used to create the file. Choose the operating system version 

from the drop-down menu and click Confirm Version. If you select Unknown Version from the 
drop-down menu, memory parsing will not be run. However, file carving and content searching 
can still be run from the Add Evidence window if desired. 


Add Evidence 
Attached / Mounted Disks 


Memory File Name: hiberfil.sys 
Attached Mobile Devices 


In order to process the memory file, the operating system version the file came from 
Files / Folders / Disk Images is required. Windows Vista and newer versions are currently supported. 


By selecting Unknown Version from the drop down below, memory parsing will not be 
run. If selected in Evidence Selection, file carving and content searching however will 
be run. 


v «select operating system version» j 

Vista 
Vista Service Pack 1 
Vista Service Pack 2 

! Windows 7 F 
Windows 7 Service Pack 1 
Windows 8 
Windows 8.1 
Windows 10 
Windows 10 (v1511) 
Windows 10 (v1607) 
Windows 10 (v1703) 
Windows 10 (v1803) 
Windows 10 (v1809) 
Unknown Version 


Microsoft Symbols 


Inspector requires Microsoft symbols in order to process Windows memory files. If Inspector 
does not have access to these symbols, nothing can be extracted from memory files. These 
symbols are stored on the Microsoft Symbol Server, which can be accessed over the Internet. 
You can manage preferences for accessing Microsoft symbols from the Preferences window. For 
more information, see Inspector Preferences or Options. 


@ Microsoft Symbols Settings - x 


To process memory files (memory dumps, hibernation and page files) Inspector will install a default symbol set to 
the ‘Symbols Location’ below. Inspector can download new symbols from the Microsoft Symbol Server or an 
internal Symbol Server. 


Warning: An internet connection is required to download from the Microsoft Symbol Server. To process memory 
files without connecting to a Symbol Server, copy all required symbols to the ‘Symbols Location’ below. 


M Enable downloading of symbols from address specified here. 
Symbol Server: | https://msdl.microsoft.com/download/symbols 


Specify where you want to store the downloaded symbol files. 


Symbols Location: | [F:\Users\heidi\AppData\Roaming\Cellebrite\Symbols (ia | 


Report missing symbols to Cellebrite - | 


The Symbols Location field is the location where Inspector is set to install a default symbol set, 
and it is location where for any downloaded symbol files are saved. Selecting the folder icon 


allows you to choose a different location for symbols. Click Reset, and Inspector restores the 
Symbols Location field to the default path. 
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Inspector can download new symbols from the Microsoft Symbol Server or an internal server. By 
default, the checkbox is activated to enable downloading of symbols, and the Microsoft server 
address is selected. An Internet connection is required to download from the Microsoft Symbol 
Server. To disable automatic downloading of symbols, unmark the checkbox for Enable 
downloading of symbols from address specified here. 


By default, Inspector sends anonymized data about the necessary symbols back to Cellebrite, so 
that we can consider including the symbols in our future symbol packs. Reporting can be 
disabled by unmarking the checkbox for Report missing symbols to Cellebrite. 


To connect to an internal symbol server, change the address in the Symbol Server field. 


To process memory files without connecting to a symbol server, copy all required symbols to the 
location shown in the Symbols Location field. 


If you have disabled symbol downloading or you have no Internet connection, Inspector may fail 
when processing a memory file. In this case, if you right-click the error badge for the memory 
file and click Show Errors, a window appears offering these options. 


eo Symbol Download Failure 


An internet connection is required to download symbols needed for processing. To resolve, please 
select one of the following options: 


Install all known symbols with the Inspector Symbols installer and click Reprocess 
http://community.cellebrite.com/ 
Connect to internet and click Reprocess 

o Select external drive and click Copy Utility 


Select Drive... 


Cancel 


1. Download and install the offline symbol pack from Cellebrite, which contains all of the 
currently known symbols. (In most cases this will be adequate.) 

2. Connectto the Internet and reprocess. 

3. Copy a utility to an external drive (such as a USB drive], which can then be connected to an 
Internet-connected computer and run. The symbols are downloaded to the USB drive. The 
USB drive is then connected back to the computer running Inspector, and the symbols are 
copied over. (To do this, click Select Drive, select the external drive, then click Copy Utility.) 
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Analyzing Memory Files 


After a memory file has been added to Inspector and processed with the desired processing 
options, the parsed contents can be analyzed. In the Browser view, files carved from the memory 
file are separated by type and then file type extension. Each file can be viewed within the 
appropriate Inspector view. For instance, if any pictures have been carved from the memory file, 
they can be viewed in the Media view. 


Memory file artifacts can also be viewed within the Memory sub-view. On the toolbar, click 
System » Memory. For more information, see System View. 


When the examiner runs processing options on a memory file, Inspector uses a bulk extraction 
tool to perform content searches, scanning the evidence file for key items of interest. For more 
information, see Bulk Extraction Searches on Memory Files. 


Adding a USB Attached Mobile Device 


Inspector can logically acquire and process an attached iOS [i.e., iPod, iPhone or iPad] or Android 
device. The process for adding an attached mobile device is begun the same way as for adding 
any form of evidence to a Inspector case. For more information, see Adding Evidence to a Case. 
Additional steps and considerations pertaining to mobile devices are discussed below. 


Settings for Android Devices 


In order to have the analysis system recognize an Android device, make sure the Android device 
is unlocked, and that the USB debugging mode has been selected from the Developer options 
(or, on some devices, Development) in the device's Settings menu. The USB debugging option 
may have to be selected and unselected a few times on some Android devices. 


Once the device is in USB debugging mode, and the RSA key fingerprint has been created by 
tapping OK, it is sometimes necessary to change the mode of the device. In order to do this, 
swipe down from the top of the device screen and choose the USB computer connection option. 
From here, Media device (MTP], Camera (PTP), or Internet mode can be chosen. While Media 
device [MTP] is the most common mode, the user may have to try Camera {PTP} or Internet 
mode for the device to be recognized. 
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Adding Evidence from a USB Attached Android or iOS Device 


When a live Android or iOS mobile device is attached, and the PIN has been used to unlock the 
device, data can be acquired. The device will be shown in the Attached/Mounted Devices area. By 
highlighting the device, its information is revealed in the middle portion of the window. 


Add Evidence 
Attached / Mounted Disks [ 5. MEM Processing Options: 
Attached Mobile Devices Evidence ID: ||Pad - 001 [ iPad (ios) 


© B iPad 
Model Version iPad mini (Sth generation) moji Cup esso 


Capacity 256 GB 

Data Available 180468 Extract Data. 
Data Used 88.2GB DB Re 
OS Version 14.4 

Product Type iPad11,1 File Signature Analysis 


Files / Folders / Disk Images + Add 


Model Number Full  MUU32LL/A (USA) 
Firmware Version iBoot-6723.80.19 
Serial Number DMPZL358LM99 Video Analysis 


Picture Analysis 


UDID 00008020-...3683002€ 
WiFi Address co:d2:81:d3:f0:18 

Bluetoo...ddress co:d2:81:61:28:e4 Process OCR Image Text 
Time Zone America j/Chicago 


Process Archives 


E calculate Hashes 


Identify Known Files 


Smart Indexing 


Mail Parsing 


Activity Correlation. 


Calculate File Entropy 


Manage Passwords... 


Refresh 1 of 1 selected Cancel Start 


When finished with the options in the Add Evidence window, click Start to start the data 
acquisition and processing. In the Component list select Evidence Status. Inspector begins 
acquiring and processing the data according to the options chosen. Disconnect the iOS device 
only after the acquisition is complete. 


Warning: Never disconnect an iOS device during backup or acquisition. 
Additional Notes on Adding Mobile Devices to a Case 


When an examiner adds a USB attached mobile device, Inspector acquires logical data [not a bit- 
by-bit forensic image acquisition) from an attached device and places the data into the case file. 
When iOS data is acquired using this option, Inspector leverages the iTunes API backup 
functionality. However, it is important to note that this acquisition is much more thorough than a 
simple iTunes backup. A special low-level connection is also established, and additional data not 
contained in a normal iOS iTunes backup is also acquired. This is the best method to use to 
acquire and examine logical iOS data when a physical image is not possible. 


Because Inspector does not forensically image or jailbreak iOS devices, email is not acquired. 
But SMS/MMS messages, contacts, phone calls, voicemails, pictures, etc., are. 


Acquiring data using this method may cause a case file to become quite large, depending on the 
size of the iOS device, so be sure the case is stored on media with the appropriate capacity. 


It is best to disable wireless connectivity on mobile devices before acquiring data from them. 
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Some iOS applications may cause data acquisition or processing to fail. If this happens, quit and 
relaunch Inspector. The acquisition may continue successfully. If another failure occurs, remove 
the IOS device and re-add it to the case with different processing options selected. You can find 
debugging instructions and additional troubleshooting information in File System Information. 


If adding an Android device that is "rooted," ensure that the device's developer option for Root 
Access is set to Apps and ADB before beginning the collection. If this Root Access option is set to 
Apps Only, Inspector may not be able to properly interact with the device. 


Adding Other Attached Devices 


An examiner may use Inspector to perform an analysis of attached devices. These include a 
mounted device such as a .dmg image, a Time Machine/Time Capsule image, an external 
FireWire or USB drive, or a mounted .E01 file. For more information, see Appendix 2 - 
EWMounter. 


The process for adding attached devices is begun the same way as for adding any form of 
evidence to an Inspector case. For more information, see Adding Evidence to a Case. 


Adding a Mobilyze Case 


Cases created and stored with Mobilyze, Cellebrite's mobile device triage tool, may be added to 
an Inspector case. Mobilyze has the potential to acquire some types of data that cannot be 
displayed within that application, yet will be viewable in Inspector, which is designed for more 
comprehensive analysis. 


To add a Mobilyze case to Inspector, follow the same process as for adding any form of evidence 
to an Inspector case. For more information, see Adding Evidence to a Case. 


In the left pane of the Add Evidence window, click Add. Navigate to the desired Mobilyze folder 
and click Select. The Add Evidence window recognizes the folder as a Mobilyze case and notes it 
as such in the middle pane. 


When finished with the options in the Add Evidence window, click Start to begin adding the 
Mobilyze case to the Inspector case. 
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Adding a Folder or File 


You may add targeted or triaged evidence stored in individual folders or files to a case. 


The process for adding a file or folder is begun the same way as adding any form of evidence to 
an Inspector case. For more information, see Adding Evidence to a Case. 


Inspector imports and processes the chosen evidence items, and they are displayed in the 
Evidence section of the Component list. 


Adding Evidence Using Drag and Drop 


You can add data to a case in Inspector using the drag-and-drop method for these data ingestion 


options. 
e Disk Image: Add a forensically acquired or virtual disk image (DMG, DD, VMDK, E01, Ex01, 
L01, S01) 


e Folder: Add a folder and folder contents 
e File: Add a file 


For more information, see Tags. 


Select one of the above data source types from Finder and drag it onto the Component list. A 
border appears around Evidence. Drop the file onto the Component list and the Add Evidence 
window appears. 


mee — — — ERE; 


v @ E Bennett-Computer-20052... 

ed Racer - Data 
13 P Racer E 
ES © Bootcamp 

@ ©) Bennett-Mem.dmp 

[] Thee 

im [Ð Tenisha's iPhone 

i& ©) Ford iVeExport.ivx | 


E KreeseUSSFDesktop.EO 1 


Y ACTIVITY 


Bl Evidence Status 


** Export Status 


From this point, follow the same process as for adding any form of evidence to an Inspector 
case. For more information, see Adding Evidence to a Case. 


Inspector imports and processes the chosen evidence items, and they are displayed in the 
Evidence section of the Component list. 
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Adding Berla iVe 


Working with Berla Corp, Inspector is capable of importing data exported from Berla iVe. Berla 
Corp is the industry leader in vehicle forensics. Vehicles contain a vast amount of data useful 
during an investigation. Data such as routes, vehicle events, location data, connected devices, 
and media can all be contained in computers in a vehicle. Once the data is acquired using the 
Berla iVe ecosystem, it is then imported into Berla's iVe forensic software. Berla Corp has added 
an option in iVe Desktop to export data to a .ivx database for import into Inspector. 


Choose the .ivx file in the Add Evidence window. 


Inspector ingests the .ivx database and processes the data. 


Bd inspector Case.inspector 


DealsFor | A Ford Neto B 


Device: Ford iVeExportivx. 


e Filesystem: Fie 
Total Sizo: 222 M8 (23200008 Bytes) 


Evidence ID: Ford NeExportvx - 001 


File System TimeZone: Unknown 


Extended Information 


Fora Syne Gens 
YrMSKTFBOHGC33040 
E 


Fore 


Fold Value 1 


File 
2019-08-30 21:26:05 (UNKN) 


2019-05-30 21:26:05 (UNKN) 
2019-05-30 21:27:59 (UNKN) 


Artifacts 


Disk Images 0 


Archives 0. 


o 


All of the data included in the .ivx database can be viewed from the Browser view, using the 
Preview tab in the File Content view. 


ese Bd inspector Case.inspector 


"— © ww B 
cea tithe aloe ie tan) 


^ DateTime lon... Latitude Longitude Altitude Accuracy Action 
por 3 


2077-108. 


207-4 


209-14 bos 


2075-4 PLEME 


zonna 


aoynas 


2071-28. 


2071-28. 


(1015) - Ford Vetrportivx. 
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Data is parsed into these areas in Inspector. 


e Actionable Intel 
o Device Connections 
o File Knowledge (Recent Items] 
o Account Usage (Top Contacts) 
e Communication (Calls, Contacts] 
e Locations (Map View, Location List) 
e System (System Log) 


Adding iCloud Productions 


With the proper search authority, Apple provides data from a user's iCloud account using that 
person's Apple ID. A myriad of data can be stored in a person's iCloud account including multiple 
device backups. iCloud Production files from Apple are sent in an encrypted GPG format. These 
files must be decrypted prior to ingestion. If an examiner attempts to add encrypted GPG files, 
Inspector will display a prompt indicating the GPG file must be decrypted. Decryption of the GPG 
file results in a zip file. 


The process for adding an iCloud Production .zip file is begun the same way as adding any form 
of evidence to an Inspector case. For more information, see Adding Evidence to a Case. 


Ingesting data from iCloud production files relies on the formatting of these files. If Apple 
chooses to alter the format of the data in iCloud Production files, Inspector may cease to identify 
iOS device backups in the iCloud production files. 
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Some users do not store device backups in iCloud. Some iCloud Production files do not contain 
device backups. If this occurs, the iClouds Backups processing option will not be available for 
that set of iCloud Production files and Inspector will identify the file as a ZipArchive. 


Attached / Mounted Disks 
Attached Mobile Devices 


Files / Folders / Disk Images 


¥ [By BB. jbennett mac...m. 20190509.zip| 


Refresh Remove 


Evidence ID: BB_jbennett_mac@me.com_20190509.zip - 001 


1768 
Date Created 
Date Modified 
Owner 

Group 

Path 
Extension 
Readable 
writeable 
Visible 

Alias 

Locked 


Add Evidence 


EXT nz jbennett_mac@me.com_20190509.zip (ZipArchive) 


2020-08-29 07:31:49 (UTC) 
2019-05-20 14:11:25 (UTC) 
drew 

staff 
[Nolumes/Eng_Syn...om_20190509.zip 
zip 

True 

True 

True 

False 

False 


10f 1 selected 


Processing Options: 
I. 88. jbennett. macGm...zip (ZipArchive) 


Preview © Triage Comprehensive 


Extract Data 
DB Recovery 

File Signature Analysis 
Picture Analysis. 
Video Analysis. 
Process Archives 
Process OCR Image Text 

E Calculate Hashes 


Identify Known Files. 


File System Journal Analysis 
Spotlight Parsing 

OS Event / Security Logs 

‘Smart indexing 

Content Search (Bulk extraction) 
Mail Parsing 

Activity Correlation. 


aa 


Hiberfil.sys / Pagefile.sys. 


Calculate File Entropy 


Manage Passwords... 


For iCloud productions containing iOS device backups, Inspector identifies the zip files as an 
iCloudBackupArchive. The device backups are detected, and the processing option iCloud 
Backups is available and will be automatically marked. Some iCloud accounts contain multiple 
backups for the same device and backups for different devices. 


Attached / Mounted Disks 
Attached Mobile Devices 


Fes rohs Disk images ma 


E 88. jbennett, mac...m 20190509.zip 


Į! BB foxtenishaGi...om 20190510.zip| 


Refresh Remove 
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19.468 
Date Created 
Date Modified 
Owner 

Group 

Path 
Extension 
Readable 
Writeable 
Visible 

Alias 

Locked 


Add Evidence 


EEE oo fox.tenisha@icloud.com_20190510.2ip|(icloudBackupArchive) 


Evidence ID: BB fox.tenishaGicloud.com 20190510.zip - 001 


2020-08-29 07:11:15 (UTC) 
2019-05-20 14:09:43 (UTC) 
drew 

staff 
Nolumes/Eng_Sync...com_20190510.zip 
zip 

True 

True 

True 

False 

False 


2 of 2 selected 


Processing Options: 
[Ë 88 fox.tenisha@icl...oudBackupArchive) 


Preview © Triage Comprehensive 


Extract Data 
DB Recovery 

File Signature Analysis 
Picture Analysis 
Video Analysis 
Process Archives 
Process OCR Image Text 

© Calculate Hashes 


Identify Known Files 


File System Journal Analysis. 
Spotlight Parsing 

OS Event / Security Logs 

Smart Indexing 

Content Search (Bulk extraction) 
Mail Parsing 


Activity Correlation, 


iCloud Backups 


Calculate File Entropy 


Manage Passwords... 
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As the data is ingested, Inspector first identifies the zip file as /CloudBackupArchive. This can be 


seen in the Evidence Status section of the Component list. 


& e o o B 


Case Info Details Timeline Report "al 


Y EVIDENCE 
OF 


iCloudBackupArchive (No Volume Label) 


B 2021-03-25 16:16:22 (CDT) 63 Parsing 5982 files 
B Processing € Extract Data Pencing 


Y ACTIVITY zip Ó €3 DB Recovery Pending 


Bill Evidence Status 


| ** Export Status 


CONTENT SEARCHES 


INDEX SEARCHES 


INVESTIGATIVE NOTES 


iCloudBackupArchive (No Volume Label) 


T--emem- en ene- eme ---l Starting Processes--------------------- 
[2021-03-25 16:16:19 (CDT)] - 
Version: Inspector 10.3 (20210325.043837-7f8f631) 
Case Path: /Users/drew/Desktop/iCloud| backup.inspector 
Evidence Path: /Volumes/Eng Sync Data/TESTO6/mobile/iCloud Productions/bbt-in: 


Once parsing completes, Inspector changes the Evidence Item name to the name of the 


B © 9 B Exp e» 


Case Info Details Timeline Report Share Browser File Filter Actionable Intel 


Y EVIDENCE 


BB fox.tenishaGicloud.com 20190510.zip 
vH BB fox.tenishaGicloud.com 201... 


f B 2021-03-25 16:16:22 (CDT) @ Parsing 
E] Processing © Extract Data 
v ACTIVITY zr ME © DB Recovery 


lil Evidence Status 


*» Export Status 


CONTENT SEARCHES 


INDEX SEARCHES 


INVESTIGATIVE NOTES 
BB fox.tenishaGicloud.com 20190510.zip 
---Starting Processes--------------------- 
[2021-03-25 :19 (CDT)] - 
Version: Inspector 10.3 (20210325.043837-7f8f631) 
Case Path: /Users/drew/Desktop/iCloud| backup.inspector 
Evidence Path: /Volumes/Eng. Sync. Data/TESTO6/mobile/iCloud Productions/ 
[2021-03-25 16:16:22 (CDT)] - Parsing started. 
[2021-03-25 4 (CDT)] - Parsing finished. 
[2021-03-25 5 (CDT)] - Web Cache started. 
[2021-03-25 16:21:55 (CDT)] - Web Cache finished. 
" [2021-03-25 16:21:55 (CDT)] - Extract Data started. 
2 [2021-03-25 16:21:59 (CDT)] - Extract Data finished. 
Field Value [2 -25 16:22:01 (CDT)] - File Typing, Metadata Processing started. 


-25 16:22:01 (CDT)] - DB F 


? Cellebrite 


zip file. 
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Before iOS device backups are parsed, all other processing options must complete on the zip 
file. Once the iCloud process starts, the process on Evidence Status displays how many device 
backups there are. 


eee ta icioud backup inspector 


BB foxtenisha@icloud com, 20190810 ap. 


AUC SUN Dien Umen [Ole Sua CERO ESOS 
p G Processing LI O Pictures © known Fios O tventsitogs © indeng O mi ToamiPgenio 
o © DB Recovery. Ó Videos lo Carvin O Archivos O Content Search © Correlation O Entropy 


ene Ba Cloud backup inspector 


'88.Joxtorihicoud con, 20190510 p. 
oin [PM O Fie Types O hashes s O somai O ocr imago Text O soonigne O ciowa 
p 8 2021-08-2516:26:55 (cor) © extract Data O Pictures O known Fies O Evontsogs © indexing nai Hite 
[Tr © ob recovery O videos "e Caran archives D Content search O Correlation O ewooy 
2071-03-25162428 (c01) © Parsing O retos O Hashes O ocr mage Tot 
8 2021-03-25 16:24:46 cor) Extract Data O Pictures © krown Fes [m Oua 
© 000019 © do Recovery O vas O arcnives © corrtation O eweooy 
© Tenisha's iPhone 
7021-03-25162651 607) — © Parsing [e O hashes O ocr image Text 
A 2021-03-25 1626:10 (cr) O Extract Data O Pictures O known Fies © indexing Oua 
O oora © dw recovery O videos O archives © Correlation Qu eno; 


EN 


——M— cam 20190510 26 


As Inspector parses the data stored in the backups, the temporary name icloudfsstore is applied 
to the backup. Once parsing begins on a backup, the name is changed to the Device Name of the 
iOS device. 


As the iOS backups process, data on the backups can be viewed and examined. 


ene BA Cloud backup inspector 


v D © Tenisha's Prone B 


Device: Tenishas IPhone 


!e X (Model A1865, A1901, A1902, A1903) 


/20210325.043837-7f81631 
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Adding UFED and Premium CAIS Acquisitions 


Inspector supports UFED [segmented .zip) versions as well as Premium Cellebrite Advanced 
Investigative Services .dar formats for mobile device acquisitions. 


When ingesting a UFED acquisition, point Inspector to the main .zip file for UFED extractions and 
the .dar file for Premium extractions. 


If the iOS device is encrypted, you can select the device to enter the password in the Processing 
Options panel. You can find that password in the .ufd file accompanying the .zip file. If the 
password is validated the device is processed normally. 


After Inspector parses a .zip file, the iOS file within the .zip file is parsed. You can see the 
additional item in the Evidence Status view and the Component list. The name of the iOS device 
changes during processing is is final when processing is complete. 


You can investigate both the .zip file and the 10S device. The view depends on which evidence 
item you select. 


Remove Evidence from a Case 


You may remove an evidence item from a case. 


1. In the Component list under Evidence, right-click the evidence item to be removed. 
2. Click Remove «ltem Name» from Case. 


Y EVIDENCE uis: Details For: E Bennett-Computer-20( 


v @ Ej Bennett-Computer-20052... 
O @ Racer - Data 
O O Racer Bennett-Computer-200520.E 


L © Bootcamp 


Name 
@ © Bennett-Mem.dmp Disk Protocol 
B © thes pani 

Total Size 
[] © Tenisha's iPhone Disk Hash 


i& (|) Ford iVeExport.ivx 
v @ E colMacB- ^ —7777-— 
oB Om 


Y ACTIVITY 


E Evidence Status A 


= 


3. Inthe confirmation dialog, click Remove. 
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Move a Case File to a Different Computer 


You can move a case file to a different computer for another examiner to look at. You must first 
create a case archive to move or copy it. 


In the Case Manager window, select the case file. 

Click File » Create Case Archive. 

Choose the location to export the case file to and then click Save. 

On the computer where the case should reside, open Inspector. 

Click File » Restore Case Archive. 

Navigate to the location of the saved archive from Step 3, select the archive folder, and then 
click Open. 

This message appears: Would you like to restore this archive to a local case? 
Create a new case on this local system. 

7. Click Local Case. 

8. Navigate to the location on this computer to restore this case file to, name the case, and then 
click Save. 


E ate 


When restoration is complete, the case file opens in Inspector. 


Relocating a Disk Image 


Before you begin: Keep the Inspector case file on a local machine and not on a network 
resource, as some Inspector features may fail when the case file is accessed over a network. 


If you move a disk image In a case to a new location on the same disk, Inspector automatically 
recognizes the image's new location. However, if you move the image to a new location on a 
different disk, such as a network share, Inspector does not recognize the disk image's new 
location. Therefore, «Disk Unavailable» appears next to the item in the Component list. 


v EVIDENCE 4 > 


v © BD Bennett-Computer-20052... Name 


im ©) Racer - Data > (@ € BOOTCAMP 

i @ Racer > E OD Racer - Data 
= © Bootcamp >» |) ©) Tenisha's iPhone 
@ © Bennett-Mem.dmp > @O Thee 


v 
e lid — Relocate source for 'The6'... 


@ G' Tenish— Export evidence file for 'The6'... 


Rename drive 'The6'... 
Y ACTIVITY 


lll Evidence Stati Remove The6 from Case... 


You must navigate to and select the disk image from within Inspector before data from the 
device is once again available for examination. In the Evidence section of the Component list, 
right-click or CTRL «click the device and then click Relocate Evidence from the context menu. In 
the navigation window, locate the disk image and select it. Inspector automatically links to the 
disk image in its new location and displays it in the Evidence section of the Component list. 
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Exporting Mobile Device Evidence 


You may need to export mobile device evidence to collaborate with another examiner or for 
e-Discovery purposes. 


In the Component list under Evidence, select the mobile device evidence item to be exported. 
Right-click the device and click Export Evidence File from the context menu. 


Select the destination for the exported file and click Save. You can monitor the progress of the 
export by selecting Export Status in the Component list. 


The exported file for the mobile device evidence is named Files.bbtar. 


Hashing and Verifying Forensic Evidence 


To generate a disk image hash value, on the toolbar, click Details and then choose the dropdown 
option for the device. The Calculate Disk Hash link appears. 


Click Calculate Disk Hash, and a Hash Types window appears. Select any or all of the desired 
hash type checkboxes. 


As Inspector generates the hash values, a “Hashing” progress bar overlay appears in the Case 
Window. After hashing is complete, the hash values are displayed. 


You can copy and paste text from the device description a text file or export the text to a 
spreadsheet or database file. Select any or all of the device description text, then use your 
operating system's shortcut keys to copy and paste the text into your text file. To export the 
selected text items to a tab-delimited or CSV file, select text items in the Content pane, then 
open Inspector's context menu and click Export Selected Rows. 


You must manually verify (compare) hash values from a .dd or .dmg image, as these types of 
images (raw images) do not store hash values. However, because E01 hash values are stored in 
the E01 image itself, when you click Calculate Disk Hash, Inspector compares the generated E01 
image file hash value to the hash values stored in the image file. If the hash values match, the 
word Verified- appears along with the generated hash values. Click the Calculate Disk Hash link 
any time to recalculate the disk hashes. 
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The known OS X and Windows hash sets have been updated to use hashes from hashsets.com. 
This increases the number of OS versions and total amount of hashes for hash comparisons, 
allowing you to filter out a larger number of unnecessary system files. 


Inspector supports hash sets containing MD5, SHA-1, and SHA-256 hash values. Inspector 
allows you to import hash sets saved as text files as long as the file contains one hash value per 
line with each line separated by a carriage return. Inspector automatically identifies the type of 
hash value stored in the text file. 


Custom hash sets created in Inspector are automatically saved in the .blhs format. Hash sets 
can be created containing MD5, SHA-1, SHA-256 or any combination of the three. Choose the 
hash types to be included in the hash set in the Hash Set Export window. 


Select hash sets to export. 


v MD5 
SHA-1 


SHA-256 


Cancel Continue 


Advanced Evidence Recovery 


Inspector includes several disk and partition editing and recovery features. An examiner may 
specify sector size, edit or define hidden or missing partition parameters, import a partition as 
unallocated space, and create an .iso disk image file from a partition. 


As outlined in the Adding Evidence to a Case topic, begin the process for adding any of these 
evidence items to a case. 


e Disk Image: Add a forensically-acquired or virtual disk image (DMG, DD, VMDK, E01, Ex01, 
L01, S01, AFF4) 

e Selected Image File: Add the selected image file or virtual machine file located in a 
Component list device [available only when an image file or VM file is selected] 

e Encrypted iOS Disk Image: Add a forensically-acquired third-party iOS disk image with 
proprietary encryption enabled (such as Lantern Lite, etc.) 

e Other Attached Device: Add a mounted device such as a .dmg image, a Time Machine / Time 
Capsule image, an external FireWire or USB drive, or a mounted .E01 file (EWMounter) 
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Manually Setting Disk Sector Size 


In the Add Evidence window, open the context menu from the selected disk or partition, and then 
click Set Disk Sector Size. The Disk Sector Size window appears. In the Sector Size field, type 
the appropriate sector size and click Set. Inspector applies the new sector size. 


Note: Most disks use a sector size of 512. Certain Advanced Format disks with a 4K Native (4Kn] - 
label, as well as newer PCl-e NVMe solid state drives, use a sector size of 4096. | 


Editing a Partition 


To recover a deleted or missing partition, in the Add Evidence window open the context menu 
from a disk or partition, and then click Edit Partitions. The Partition Editor window appears. 


Partition Editor 
Name First Sector Last Sector Highlight Sector: 0 
1 63 


ple 

pple (000000: | 4552 0200 0006 1ACO 0000 0000 0000 
disic mage m 409008 800000t:| 0000 0000 0000 0000 0000 0000 0000 
200001: 0000 0000 0000 0000 0000 0000 0000 
000002A: 0000 0000 0000 0000 0000 0000 0000 
0000038: 0000 0000 0000 0000 0000 0000 0000 
0000046: 0000 0000 0000 0000 0000 2000 0000 
0000054: 0000 0000 0000 0000 0000 0000 0000 
0000062: 0000 2000 0000 0000 0000 0000 0000 
0000070: 0000 0000 0000 0000 0000 0000 0000 
000007t:| 0000 0000 0000 0000 0000 0000 0000 
G00008C:| 0000 0000 0000 0000 0000 0000 0000 
0000094: 0000 0000 0000 0000 0000 0000 0000 
00000A8: 0000 0000 0000 0000 0000 Q000 0000 
8000006: 0000 0000 0000 0000 0000 0000 0000 
G0000C4: 0000 0000 0000 0000 0000 0000 0000 
0000002: 0000 0000 0000 0000 0000 0000 0000 
G0000t0: 0000 0000 0000 0000 0000 0000 0000 
OO000tt: 0000 0000 0000 0000 0000 0000 0000 
G0000FC: 0000 Q000 0000 0000 0000 0000 0000 
0000104: 0000 0000 0000 0000 0000 Q000 0000 
0000 0000 0000 0000 0000 0000 0000 


Cancel Apply 


To change an existing partition's definition, on the left side of the Partition Editor window under 
the First Sector and/or Last Sector column, double-click the partition's current sector definition. 
An editable text box appears. Type the desired sector definition and click anywhere in the 
Partition Editor window to escape the text box. The new first and last sector definition displays. 


To highlight a specific sector, at the top of the Partition Editor window in the Highlight Sector 
field, type a sector number. Inspector jumps to the chosen sector and highlights the entire 
sector in yellow. 


Defining a Deleted or Missing Partition 


To define a deleted or hidden partition, in the lower left corner of the Partition Editor window, 
click + (add). A New Partition «partition #> entry appears in the partition list. To define the new 
partition's first and last sectors, under the First Sector and Last Sector column, double-click on 
the zero. An editable text box appears. Type the desired sector definition and click anywhere in 
the window to escape the text box. The new partition's first and last sector definition displays. 


To remove an existing partition, select a partition from the partition list and in the lower left 
corner of the Partition Editor window, click - (remove). The partition is removed from the 
partition list. Once all partition definitions are as desired, in the lower right corner of the 
Partition Editor window, click Apply. Inspector applies the new partition definitions. 
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Importing or Processing a Drive or Partition as Unallocated Space 


When an item is selected in the left pane of the Add Evidence window, all its partitions are 
displayed in the middle pane. Partitions with recognized file systems that can be imported into 
Inspector are displayed with a checkbox to allow selection. However, any partition, whether it has 
a checkbox or not, may be imported as unallocated. Open the context menu from the partition 
and select Import Partition as Unallocated. Select Custom in the right pane and Carve 
Unallocated becomes an available option. 


Attached disks in the left pane can also be imported as unallocated in the same fashion. From 
the context menu, select Import as Unallocated. 


In the Add Evidence window, mark the checkbox for Carve Unallocated and click its 
corresponding ellipsis button to specify the unallocated file types to include in the recovery. 


Creating an .iso Disk Image from a Partition 


If a disk image partition contains an unsupported file system format (such as ZFS), you may 
create an .iso image from the partition and examine it with a third-party forensic analysis tool. In 
the Add Evidence window, open the context menu from a partition and select Create ISO from 
Partition. The Creating ISO window appears. 


In the Start Sector and Sector Count fields, define the partition start sector and the partition's 
total sector count, respectively. 


To determine the number of sectors in a partition if the number is unknown, click Cancel to 
dismiss the Creating ISO window. In the Add Evidence window, open the context menu for a disk 
or partition and click Edit Partitions. The Partition Editor window appears. Locate the partition in 
the partition list and subtract the number in the First Sector column from the number in the Last 
Sector column and add one. The resulting number is the partition's total sector count. In the Add 
Evidence window, open the context menu from a partition and click Create ISO from Partition. 
The Creating ISO window appears. 


In the Start Sector and Sector Count fields, define the partition start sector and the number of 
sectors in the partition, respectively. To create the .iso disk image file, click Start. Provide a 
name and destination location for the new .iso disk image and click Save. The .iso disk image is 
saved. 


142 


August 2021 Inspector User Guide 


File Entropy 


With Inspector, you can calculate byte stream entropy per file, which can aid in discerning 
between items that are more likely to be encrypted versus those which are not. Entropy values 
range from 0 to 1, with values closer to 1 denoting items that are more likely to be encrypted. 


You can process file entropy when adding an evidence item to a case. In Processing Options, 
mark the checkbox for Calculate File Entropy before you click OK. 


Processing Options: 
E Bennett-Computer-200520.E01 (ImageFile) 
OPreview © Triage O Comprehensive 


[7] Extract Data 


[7] DB Recovery 


M] File Signature Analysis 


Picture Analysis 


Li 
[7] Video Analysis 


Process Archives 


[Process OCR Image Text 


[E] Calculate Hashes 

Identify Known Files A 
M File Carving 

[File System Journal Analysis 

C Spotlight Parsing 

[1 OS Event / Security Logs 

C Smart Indexing 

C Content Search (Bulk extraction) 
(Mail Parsing 

Di Activity Correlation 

iCloud Backups 

M Hiberfil.sys / Pagefile.sys 

(€) Quick Scan O Deep Scan 


(1 Calculate File Entropy 


Manage Passwords... 


No Templates 


File entropy may also be processed after adding the evidence item to a case. Select an evidence 
item under Evidence Status in the Component list and click Run [or Rerun) next to Entropy. 
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Entropy is available as a sortable column for display in the Browser and File Filter views. 


E: b Root 
Name 


> [:12015-11-24-074337 


| ] .mtm.private.plist 

> (3j.Spotlight-V100 

> (net 

> (home 

v (ij fseventsd 
|. | fseventsd-uuid 
|. fc00759583d7a73a 
|. fc0075957efb89e0 
| 00000000004b24c2 
|. fc0075957ee0f43a 
. | 00000000004b667e 
. | 00000000004a6982 
|. 00000000007 3f6fa 
|. fc007595841 baf4f 
|. fc007595842ba37c 
|. fe007595842a44e7 
|. fc00759583t7c3de 
|. fc007595841c5808 


Managing Case Evidence 


Entropy 


0.68336509518773 


0.46044279530415 
0.61962065309746 
0.62415171806813 
0.62681106787096 
0.62744119175234 
0.62811936120954 
0.63169078978097 
0.63472945272711 
0.64976405479731 
0.65383466324866 
0.65517257562704 
0.65589578060977 
0.65798503824144 


File entropy is also available as an individual file filter in the File Filter view. 


D - 


Browser File Filter 


All 


B File Entropy < v High (> 0.8) ; 


Medium (0.5 - 0.8) 


: Low (< 0.5) 
Invert Filter lghore FOR eee 


The File Entropy filter has these option modifiers. 


e High (> 0.8) 

e Medium (0.5 - 0.8) 
e Low [< 0.5) 
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The Timeline view lets you access more information from one place. It responds quickly, even 
with many items in a case file, and allows you to easily focus on all activity during a time period 
you specify. You can see and sort by all timestamps for each artifact in the Timeline view. You 
can also see the file path, so you can easily view the file in the File Browser view and investigate 
further. You can tag items in the Timeline view just as you would in other views within Inspector. 


To open the Timeline view, click Timeline in the toolbar. 


This chapter provides these topics about the Timeline view. 


e Time Scale 

e Artifacts in Timeline 

e Timeline Details 

e Additional Timeline Features 


Time Scale 


To open the Timeline view, click Timeline in the toolbar. 


The time scale Is the main navigation and display area for the time period currently in view. By 
default, the time scale centers its visible date range on the years between 1990 and 2024. You 
can move the visible timeframe, and thus changes the time period being viewed and the artifacts 
listed in the artifacts section. The scale can not be moved to a date before 1900, nor can it be 
moved to a date more than 20 years after the current date. These are the control buttons for 
timeline navigation. 


e ?, in the top left, is interactive help for the timeline. 

e +, tothe right of the help button, zooms in on the timeline. 

e - below the + button, zooms out on the timeline. 

e <>, below the help button, returns to the original view if you are zoomed in or out too far. 

e Two buttons on either edge of the timeline scroll the time view left or right. You can also use 
your mouse to click and drag the time scale left or right. 


As you move the mouse along the histogram area, a thin grey line shows where in the timeline 
the current navigation is, and a corresponding date and time appears to the left of the navigation 
buttons. 


[1990s [2000s [2010s [2020s 
] 
lo Jor de [os [os 95 j [97 | [99 Joo Jor oz fos [os [os fos |or joe Joo [io j fiz pa pa ps pe [17 ps po jo jn [o ps pa ps pe [m [e pe 


wosvsso uro (2)| +) 


(HE) 


r) 
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You are notified if the time scale moves to a time where no data is visible. In the extreme 
example below, the date range visible in the time scale is between 1925 and 1949, and there are 
no artifacts during the time period. The help shows that you need to zoom out and change the 
date range to see any artifacts. 


1928-09-11 07:56:47 (utc) (2)| + | [1930s [1940s 
m S |26 |27 |28 |29 |30 |31 |32 |33 |34 |35 |se |37 |38 |39 |40 |41 |42 |43 |44 |45 |ae |47 |as |as 


Zoom Out To See Counts 


Artifacts in Timeline 


To open the Timeline view, click Timeline in the toolbar. 


Below the time scale, you can see where artifacts fall within the timeline. A histogram shows 
where the most artifact activity falls within the visible date range. The larger the histogram, the 
more data that exists for that period. 


In addition to all the artifacts in the case, the Timeline view shows categories for the artifacts. All 
categories show by default; you can hide any of them as appropriate. These categories are the 
same you see in the Inspector case. As you move the mouse along the histogram area, a thin 
grey line shows where in the timeline the current navigation is. 


Contact 


Cache e 


The categories list to the left of the histogram area does not move when you change the time 
scale. This helps you stay oriented when viewing artifacts over time. It does update to show 
category information for the time period currently selected. To see more details for a specific 
time, you can click and drag left or right to highlight the timeframe that needs to be zoomed in 
on. 


2012-10-31 14:18:06 (EET) ? )| + || [1990s [2000s |2010s [2020s ! 


4 »|| — || 8o [91 [92 [93 |94 |95 |96 |97 |98 |99 |oo |o: o2 |o3 [o4 [os [oe |o7 [os [os jo |11 [12 [13 [14 [ns [ve [17 |18 [te |20 |21 |22 |23 |24 |25 |26 |27 |28 |29 | | 

Au. (5,4494) T"—— RTT DTP 

Contact (40) * ox 

Message (148) ITI eed 

Notifications. (38) s Li 
v Internet. (11.08) " "oho bm eet LEO Her Huilla h 

Bookmark [2] TEESE 

Cache (4494) oo. hbd h 

Cookie (5713) " "ob. Bm s s. LE Bina Ihaha h 

Downloads (56) 

Forms [3] 

History (593) u sees oa rr unb i 
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The size of the yellow highlight is proportional to how far it is dragged left or right. This in turn 
defines the zoom level. In the example above, the period selected is from mid-2010 through the 
end of 2012. This zooms in the scale and the artifacts histogram to show the months between 
mid-2010 through 2012. If you make an even smaller selection, you can zoom in to the level of 
dates and times. 


|2011 [2012 | 
r 
(H-P le I; |e e m m e p [| fs k e le i Je le fro fu fr2 fr e |s e le |» e le po | 


ALL (24.01) Mp MUTTER UTHMPSEUMIMPSRETNMERRIOENEI R- CT LL P 
Files LL ————— ——————Ó——w—— IRR 
Y Communication (283) SS “ 
Call (4) . 
Message (279) Y 
Y Internet (973) alte m. 1 PE, 
Bookmark o 
Cookie (834) 2 m 1 1 ' 
Downloads. (a E 
History (129) å ' ' ' 
Top Sites (3) R 
Y Productivity (37) 
Calendar (33) 
Note a 


Timeline Details 


To see the Timeline view, click Timeline in the toolbar. 


When you select one or more artifact categories from the list to the left of the timeline 
histogram, the details list shows information about each corresponding artifact within the time 
period shown. When you select an item in the details list, you can see more information in the 
File Content view. In this example, the Message category was selected. 


Used 


2010-12-01 Tra (UTC) 


2010-12-01 174042 (UTC) 


E swings Preview (E Metadata \ Location (di Record preter [bata Fone 


Value (Lit 


When the Files category is selected, the details view shows more dates. When you click any date 
column for a specific file artifact in the details view, the corresponding point in the timeline is 
identified with a view line. Additional view lines indicate additional dates in the timeline for that 
same file artifact. 


+ || ||rea0s [2000s 2010s [2020s 
4 ) 
»| — 1| 90 Jar [s2 J93 [o4 [os |96 |sz [o8 |99 Joo Jor |o2 [o3 [o4 Jos loe [oz [os Jos fro [m [12 j3 [14 s jie [v [e [9 |20 |21 |22 |23 |24 Jes |26 |27 |28 |29 
ME (3/4498) —— HQ EPI 
Flies (3.4298) 


—Ü UR TNT] 


C 


Y Communication (1239) 
Call 13) 
Contact (a0) 


[ET 


Lana Ellas oe 


Bookmark n 


a= Me de 


TETTE 
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To zoom in on the timeline to a specific timestamp for an item, select the specific timestamp for 
that item in the details list, open the context menu, and click Reveal » Reveal «timestamp» in 
Timeline. This lets you quickly see what other activities may have occurred in proximity to that 
activity on the timeline. 


Additional Timeline Features 


To see the Timeline view, click Timeline in the toolbar. 


To see artifacts from the details view of the timeline in their native view of Inspector, open the 
context menu for the artifact, then click Reveal » Item in Native View. The view then redirects to 
the appropriate location with the selected artifact highlighted. 


Conversely, to see where a piece of evidence lies in correlation with other items in the Timeline 
view, open the context menu for that item, and then click Reveal » Reveal «Item Name» in 
Timeline, where «ltem Name» is the name of the selected item. 
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Browser View 


In Inspector, the Browser view lets you navigate a device or device partition file system similar to 
using Finder on a Mac computer or File Explorer on a Windows computer. 


In the Component list, select a device or device partition, and on the toolbar, click Browser. In 
the Content view, expand a folder to see a hierarchical file list. Collapse the folder and the 
hierarchical list is hidden. Double-click on a folder to display only the contents of that folder. 


Ea inspector Caseiins 


Date Created Dote Modified Date Accessed Date Added Versionindex ^ — Sire Extension E 

2016-06-11 22:96:40 (UTC) 2015-06-11 22:36:40 (UTC) 2015-06-11 22:30:40 (UTC) E] 

2019-09-28 03:08:47 (UTC) 2019-09-28 03:05:47 (UTC) 2019-10-08 16:19:35 (UTC) 2019-10-08 16:19:35 (UTC) 422 Bytes 

2010-10-07 1:02:07 (UTC) 2019-10-07 18:02:07 (UTC) 2019-10-07 16:02:07 (UTC) 2019-10-07 18:02:07 (UTC) ve 

em. 2171-18 18:9619 (UTC) 2018-10-07 18:36:07 (UTC) 2019-05-07 18:30:38 (UTC) 207-11-14 13:36:19 (UTC) 

2015-08-112256:11(UTC) 2015-06-11 225511 (UTC) 2015-06-11 22:551 (UTC) 2018-08-11 22:88:11 (UTC) 

v Bi soorcawe 
€ E  scorcave (act. 
B P @soorcawe sen] > 


2017-11-14 132834 (UTC) 2017-11-14 13:28:34 (UTC) 2017-11-14 13:28:34 (UTC) 2017-11-14 12:28:34 (UTC) 
2019-10-08 16:19:22 (UTC) 2019-10-08 16:19:34 (UTC) 2019-10-08 16:19:35 (UTC) 2019-10-08 16:19:35 (UTC) 16M8 bom 
2015-08-11 22:36:41 (UTC) 2020-02-18 18:42:19 (UTC) 2020-03-08 20:52:44 (UTC) 2015-08-11 22:36:41 (UTC) 
2014-00-00 23:27:56 (UTC) 2018-10-03 18:31:30 (UTC) 2018-10-03 18:31:30 (UTC) 2018-10-03 18:31:30 (UTC) 
v activity 2019-09-29 20:23:28 (UTC) 2020-04-14 15:48:47 (UTC) 2020-04-14 15:56:07 (UTC) 2020-04-14 15:48:53 (UTC) 
IL Evidenco status 2019-08-24 22:24:19 (UTC) 2019-08-24 22:24:19 (UTC) 2019-10-08 16:19:58 (UTC) 2019-10-08 16:10:58 (UTC) 


* Export status (20:44 (UTC) 2019-10-08 16:19:34 (UTC) 2019-10-08 16:19:34 (UTC) 


TC) 2020-04-M 


8:94 (UTC) 
TAGS 2019-10-08 16:19:56 (UTC) 
2019-08-24 22:28:56 (UTC) 2019-08-24 22:26:56 (UTC) 2019-10-08 16:19:58 (UTC) 2019-10-08 16:19:58 (UTC) 
2020-04-14 15:47:30 (UTC) 2020-04-14 15:48:53 (UTC) 2020-04-14 15:67:48 (UTC) 2020-04-14 18:47:30 (UTC) 
2019-08-24 22:20:44 (UTC) 2019-08-24 22:20:44 (UTC) 2019-10-08 16:18:34 (UTC) 2019-10-08 16:19:34 (UTC) 
INDEX SEARCHES 2019-08-25 01:03:47 (UTC) 2019-08-25 01:03:47 (UTC) 2020-04-14 16:48:45 (UTC) 2020-04-14 16:48:46 (UTC) 


2019-09-29 20:22:36 (UTC) 2019-09-29 20:22:36 (UTC) 


19-09-29 20:22:36 (UTC) 2015-08-11 22:57:20 (UTC) 


za 
CONTENT SEARCHES 
za 


INVESTIGATIVE NOTES 2019-09-29 20:17:26 (UTC) 2019-09-29 20:17:26 (UTC) 2020-04-14 15:48:33 (UTC) 2020-04-14 15:48:33 (UTC) 


2019-08-24 22:33:09 (UTC) 2020-05-20 22:48:09 (UTC) 2020-05-20 22:48:09 (UTC) 2019-10-08 16:19:58 (UTC) 


Data (Soap 1) 2019-09-29 20:23:29 (UTC) 2020-04-14 15:54:05 (UTC) 2020-05-08 20:52:47 (UTC) 1 
> [© Racer Data (Snap 2) 2019-09-29 20:23:28 (UTC) 2020-04-14 15:54:05 (UTC) 2020-05-08 20:52:47 (UTC) 2 


(106) - [Racer - Data/ 


You can quickly show or hide all folders within the parent folder. On a Mac computer, press OPT, 
and on a Windows computer press ALT while you click to expand two levels of child folders, or 
close all folders within the parent folder. 


The Browser view displays file timestamps, sizes, extensions, and hash values. Select a column 
heading to sort files by the column attribute. To calculate and display folder size (including folder 
contents), right-click or CTRL+click on the folder and select Calculate Size from the contextual 
menu. Inspector calculates the folder size and displays results in the Size column. You may 
calculate folder size for the root-level folder or any folder in the file system. 


To search folder contents, right-click or CTRL «click on a folder and select Search Contents from 
the contextual menu. Inspector switches to the Search view. The folder search path is 
automatically added to the search partition list and selected. For more information, see Search. 


At the top of the Content pane on the navigation bar, select the tabs to move to that location on 
the filesystem. Or you can use the arrows to the left of the tabs to go back to the previous 
location or forward to the most recent location. These arrows function as a historical navigation, 
not as a simple back and forward in file hierarchy. 


<4 b Root racer Users josh 


The highlighted tab indicates your current location within the directory structure. 


s$ 
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Select a file and at the top of the File Content view, scroll through Hex, Strings, Preview, 
Metadata, and Record to view file content in various ways. If a file has geolocation data, click 
Location to see a map displaying the file's GPS coordinates. For Mac computers only, you can 
click Quick Look (eye button) or press SPACEBAR to see the file rendered in a similar manner as 
the file's native creator application. For more information, see File Content View. 


In the Component list, select a previously processed unallocated (carved file) partition. A list of 
files recovered from unallocated space appears. 


Working with Columns 


To change the visible columns settings, click View » Adjust List Columns. You can show or hide 
each item in the list marking or unmarking its checkbox. You can also reorder items in this list 
by dragging and dropping each item in the list to the appropriate order. When you have finished 
making changes, click Apply Changes. The columns now appear in the specified order. 


To return columns to the way they were displayed by default, click View » Adjust List Columns. 
Click Reset List to Defaults, then click Apply Changes. 


When you export data using the Export Selected Rows feature, Inspector only exports the data in 
the displayed columns; data in the hidden (unmarked) columns is not exported. 


The exception to this rule is the Contacts subview in the Communication. From this subview, all 
fields of the contact data, including those seen in the right pane, are included in exports.In most 
views that contain columns, clicking on a column header toggles between sorting by that column 
in ascending or descending order. A single arrow in the column header denotes a primary sort, 
as well as indicating the direction (up for ascending or down for descending). You can add a 
secondary sort by pressing SHIFT while you click a second column header. A set of double- 
arrows denote a secondary sort. You can remove a secondary sort by clicking a column of choice 
for primary sorting. 


Date Modified ^ Date Accessed Y 
2014-03-24 14:50:47 (UTC) 2017-11-29 18:50:15 (UTC) 
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2015-06-11 22:36:40 (UTC) 
2015-06-11 22:55:04 (UTC) 
2015-06-11 22:55:11 (UTC) 
2015-06-11 22:55:11 (UTC) 
2015-06-11 23:46:27 (UTC) 
2017-11-30 13:11:01 (UTC) 

2016-06-24 10:51:10 (UTC) 
2016-10-26 14:13:53 (UTC) 
2017-09-01 01:09:23 (UTC) 
2017-10-03 00:36:27 (UTC) 


2015-06-11 22:36:40 (UTC) 
2015-06-11 22:55:04 (UTC) 
2015-06-11 22:55:11 (UTC) 
2015-06-11 22:55:11 (UTC) 
2016-12-08 14:48:33 (UTC) 
2016-12-08 14:48:33 (UTC) 
2016-06-24 10:51:10 (UTC) 
2016-10-26 14:13:53 (UTC) 
2017-09-01 01:09:23 (UTC) 
2017-10-03 00:36:27 (UTC) 
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Type-Down in List Views 


In views that are based on list boxes, such as the Browser view, Communications views and so 
forth, you can type a letter (such as C), to immediately see the first item that begins with the 
letter C. If there is a secondary sort, the action is done only on the primary column. 


Special Fonts and Icons in Browser View 


Name 
v (B Temporary Internet Files 
v img Content.IE5 
E container.dat 
> (gj) FSPMEXNZ 
> 3 Q4GFJBB7 
> (3 TA7C8ZSV 
Y (53 ZDO5JXM7 


comment-delete-normal[1] 
^. current_BD_affiliates_wetabs_8[1].txt 


£s favicon[1].ico 


For NTFS and FAT volumes, Inspector scans the MFT for records of files and folders that no 
longer exist in the active file system. 


Files and folders with sectors on disk that still contain data are shown in red italic font in the 
Browser view, indicating the file or folder was deleted but the space it was occupying has not yet 
been overwritten. 


Files and folders with sectors on disk that are empty or that belong to another file are shown in 
^ font, indicating the file was deleted and the space has been overwritten. 


gray-strikethreug 


gray o moog 


Gray font without strikethrough denotes that a file or folder has a hidden attribute set by the 
operating system. This means the file or folder is hidden from a user during regular browsing. 


For Windows volumes, Inspector shows an ADS icon for a file with an alternate data stream. 
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Volume Shadow Copies 


Volume Shadow Copy (VSC) data from Windows Vista to present is parsed in Inspector. VSC 
allows users to create a snapshot backup of their system. From a forensic standpoint, these 
backups may be important because they may contain files that the user believes was deleted. 
Also, VSC offers a means of saving versions of a file. Comparing file versions between the active 
file system and VSCs may reveal items changed between backups. Using Inspector, you can 
review the contents of VSCs in multiple ways, including viewing them within the same file paths 
as seen on the original user's computer. 


For Windows volumes, Inspector displays a VSC version of a file with a VSC icon. For example, 
the upper file is the version from the active file system, while the lower file is a version from a 
Volume Shadow Copy. 


|." $LogFile 
el $LogFile 


In either the Browser view or File Filter view, double-click any file that is, or has, a Volume 
Shadow Copy version, and a separate File History window appears. In this window all Volume 
Shadow Copy versions of a file can be further analyzed. 


* » Root 
Name Date Created Date Modified Date Accessed Date Added Versions Version Index Size Extension 
v (Records 2015-07-21 (UTC) 2015-11-24 (UTC) 2015-11-24 (UTC) = 
T record (2).xis. 2015-07-21 (UTC) 2015-11-11 (UTC) 2015-07-21 (UTC) 9.5KB xis 
T record xis. 2015-06-12 (UTC) 2015-11-24 (UTC) 2015-06-12 (UTC) 1 10.0KB xls 
T [@ record.xis 2015-06-12 (UTC) 2015-11-23 (UTC) 2015-06-12 (UTC) 1 10.0KB xis 
eoe File History 


VSC Creation Date VSC Index Volume Shadow GUID Name 
o record.xis 
er 


2015-11-24 (UTC) 1 {e33ab2bc-752b-46f3-8504~ 


E L 
4 = = 
J BE Hex (S stings [E] preview | E Metadata | Location \ dh Record | © | Data Fork | 
Sh Jumpto: Sheet! Sheet2 Sheet3 | 
Sheet1 
Part [Location ^ Price [Status [ 
Mustang AB 2012 |GG-shop 250k [ 
BMW Wheel x4 INT-garage 1200) 
M Badge [Miss 50) 
navi sys VW 2013 Miss 1110hew 
[exhaust TSX 2010 INT-garage 300] 
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In the Browser view, files that exist in a Volume Shadow Copy but not in the parent volume are 
shown in red-strikethrough-italic font, indicating the file was deleted from the active file system 
but a version remains in one or more Volume Shadow Copies. 


Name 

v | jworkingcopy 
m audi-b8-a4-a5-black-trunk-emblem-4.jpg 
= bmwtires.jpg 
= golf-r-19-inch-alloy-glr4037-2.jpg 
= porsche 912 1966 hood.jpg 
@> Thumbs.db 

g^ wheels.jpg 


To see only a single Volume Shadow Copy's data, select the desired Volume Shadow Copy in the 
Component list. 


v © & Bootcamp 
i © BOOTCAMP (Active) 
F © BOOTCAMP (VSC 1) 


When viewing a specific Volume Shadow copy, only Internet data, media, communications, 
Actionable Intel view data, etc. related to that Volume Shadow Copy are seen in the various views 
in Inspector. For more information, see these topics. 


e Content Keyword Searches 
e Individual File Filter Options 
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File Filters 


This chapter provides these topics about file filters in Inspector. 


e Individual File Filter Options 
e Using File Filters 

e Filtering within Specific Views 
e Locating Live Victims 


The File Filter view and the Search features isolate information in a data set. The File Filter view 

isolates information by file attribute, such as file type and creation date. In contrast, the Content 

Search feature isolates information according to file content, such as alphanumeric keywords or 
regular expressions (RegEx). The Index Search feature isolates information based on information 
stored in the smart index. 


File filtering is the quickest way to isolate data in a large data set. 


E EVIDENCE Saved Fer S 
E FB Bemet Computer. | a + condition || + group] 
— [e [a S x 
emm Date Crested | isst T 1 1/2013 ~ A 5 
PEE: [invert filter [Z] Ignore Folders and Duplicate Files Reset. | | SaveThisFiter | [Fie 1 
8 TAGS Date Created Date Modified Date Accessed Date Added Version Index Extension- ContentExtension Path Directory Locked —— Hiddei^ 
ms 2015-01-14 0:44 (UTC) 2015-04-14 40104 (UTE) 2017-98-04 13:4347 (UTC) 2015-06-11 2320:53 (UTC wa Jens... Ne No No 
S calle 2015-04-14 1401:02 (UTC) 2015-04-14 120102 (UTE) 2017-98-04 124241 (UTC) 2015-06-11 2320:53 (UTC) ws Msarsfjoss No No Ne 
S svs 2015-04-14 1401:08 (UTC) 2015-04-14 140108 (UTC) 2017-08-01 1314259 (UTC) 2015-06-11 2320:55 (UTC) we Ne No Ne 
692 2015-04-14 1400:56 (UTC) 2015-04-14 140056 (UTE) 2017-08-04 124226 UTC) 2015-06-11 222850 (UTC) LS N No Ne 
2015-04-14 14:01:10 (UTC) 2015-04-14 14:01:10 (UTC) 2017-08-04 13:44:09 (UTC) 2075-06-11 23:29:56 (UTC) JPG A Ne No No 
CONTENT SEARCHES 2015-01-14 1401:19 (UTC) 2015-04-14 14:01:19 (UTE) 2917-00-08 13:4433 (UTC) 2015-06-11 233000 (UTC) a füserijes.. No No m 
2015-04-14 1400:54 (UTC) 2015-04-14 140054 (UTE) 2017-08-08 13:43:13 (UTC) 2015-06-11 232948 (UTC) Lr D m m 
 INDEXStARCHES 2015-04-14 1401:02 (UTC) 2015-04-14 140102 (UTE) 2017-08-04 124242 (UTC) 2015-06-11 232852 (UTC) Lr füsenes.. Ns No No 
Q New nde Search || 2015-04-14 0120 (UTE) 2015-0414 14:0120 UTE) 2017-20-04 13:4437 (UTC) 2015-06-11 233001 (UTC) L Nseries. Ne No m 
= < >| 
Field Value. zi —— ni 
SET: 94728 a| BiHex Strings Preview $Metadsta Q Location A. Record Data Fo — v 
Filesystem.. 406874 E 


Name: 9{-4206061o6t468eCe% 


Path: /Usersljesh/Librony/Ap. 


20210304.231045-Sabde03 sh/Library/Application Suppert/MobileSync/Backup/25cccOb¢ fa5*7c03a6005afo5e094369356 564-201504 14-100117/b4aa606 Icabt4EDeDeSebGe35b b61 25048043 


Inspector has these built-in filter options. 


Filter Description 
List All Files Display all files on selected device 
Name Filter files by name 
Path Filter files in a named directory (folder) 
Kind Filter by genus or category 
Extension Filter by file type based on extension (.doc, .txt, jpg) 
Content Extension Filter by file type based on header information 
Extension Matching * | Filter by file type based on header and extension information 
Tagged State Filter files that are tagged or not tagged 
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Tag Name Filter files by Tag Name 

Size Filter by file size 

Owner Filter by owner 

Group Filter by group 

Permission Filter by permissions 

Date Created Filter by creation date 

Date Modified Filter by date modified 

Date Accessed Filter by last access date 

Date Added Filter by date added 

nspector ID Filter by the record ID stored within the casefile database 
File System ID Filter by the HFS catalog (node ID) / MFT ID number 
Hash Set Filter files with known hash values 


Hash Set Category Filter files based on hash set category 


File Hash 


a 


ter files based on a specific hash set 


List Duplicate Files  |Filter the duplicate files by hash 


File Entropy Filter by file entropy value 


Soft Link Path Filter by soft link path 


Hard Link Target ID | Filter by Hard Link Target ID used for Time Machine backups 


T 


Directory ter by directory 


T 


Locked ter files with a locked flag 


i 


Resource Fork ter files that have a resource fork 


Alternate Data Filter files that have an alternate data stream 
Stream 
Visibility Filter hidden or visible files 
eet . 
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iOS Hidden Item 


zn 


ter iOS hidden items 


Metadata Field 


N 


ter on the metadata attribute field 


Metadata Value 


3t 


ter on the metadata attribute value 


Metadata Field Value 


Spotlight Field 


zt 


ter simultaneously on metadata attribute field and value 


ter on the spotlight attribute field 


Spotlight Value 


i 


ter on the spotlight attribute value 


Spotlight Field Value 


T 


ter simultaneously on spotlight attribute field and value 


Internal Filter 


T 


ter for displaying custom SQL from the details view 


Snapshot / VSC 


OCR Image Text 


T 


Fi 


ter files that have a Snapshot or Volume Shadow Copy version 


ter by image files with text obtained by processing optical character 


recognition (OCR) 


* A file extension is easily modified. A file header is more difficult to modify. 


Each primary filter option in Inspector has additional modifiers that allow you to further refine 
filter results. For more information, see Individual File Filter Options. 
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Individual File Filter Options 


You may use any of these file filter options on individual files within a case in Inspector. 
e list All Files 


e Name 
e Path 
e Kind 


e Extension 
e Content Extension 
e Extension Matching 


e Tagged State 


e [ag Name 
«Size 

e Owner 

e Group 


e Permission 
e Dates Created, Modified, Accessed, and Added 


e BLID 

e File System ID 

e Hash Set 

e Hash Set Category 
e File Hash 


e List Duplicate Files 
e File Entropy 

e Soft Link Path 

e Hard Link Target ID 


e Directory 
e Locked 


e Resource Fork 

e Alternate Data Stream 
e Visibility 

e iOS Hidden Item 

e Metadata Field 

e Metadata Value 

e Metadata Field Value 
e Spotlight Field 

e Spotlight Value 

e Spotlight Field Value 

e Internal Filter 

e Snapshot (APFS) / Volume Shadow Copy (NTFS) 
e OCR Image Text 
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List All Files 


While the List All Files filter may take time to complete, it can be useful. For example, you can 
sort all files by ID, or by file type (content extension). The latter groups all known files together 
based on their file signature. During the sort process, a progress bar appears in the middle of 
the Case Manager window. 


The File Filter displays up to 20 columns. 

e Version Index 

e Extension: File extension stored in file 
system 

e Content Extension: Displays the extension 


e Tagged State 

e Evidence ID 

e BL ID: The reference ID of a given file or 
folder within Inspector's casefile 


database based on content header (file signature] 
e FS ID: The filesystem ID parsed from the ° Path 
file record e Directory 
e Name e Locked: Displays locked/unlocked status 
e Size (for example, read-only) 
Logical size e Visible: Displays hidden/visible status 
e MDs e Category 
e Date Created e = =SHA1 
e Date Modified e SHA256 
e Date Accessed e Entropy 


e Date Added 


Right-click or press CTRL while you click anywhere in the Content pane. Click Action > Save File 
Listing. This saves the full file list of selected files. The time it takes depends upon the total 
number of files selected. 


You can export file listings from the Content pane to a CSV or TSV delimited text file for 
importing into a spreadsheet or database application. For more information, see Workspace 
Orientation. 


Name 


The Name filter has five modifier options. You can simultaneously filter by more than one name 
by typing each name into the field to the right of the modifier field, separating each with a colon. 


e contains (default) 
e does not contain 
e starts with 

e ends with 


e is 
e isnot 
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The Path filter has the same modifier options as the Name filter. However, you can filter only one 


path at a time. 


e contains (default) 
e does not contain 
e starts with 

e ends with 


e is 
e isnot 
Kind 


The Kind filter may be the most commonly used filter in Inspector. It filters files based on a 
genus or category. Use this filter to locate similar files, such as picture or document files. 


The Kind filter has 13 primary modifier options. Some of these primary modifiers have secondary 


modifier options. 


e Application (Locates application types] 


ALL 
Mac 
Win 


All types below 
.app bundles 
.exe executables 


e Archives (Locates these archive file types] 


ALL 


jar 
lzma 
nsarchive 
pkg 
rar 
sit 
tar 
uue 
wim 
XZ 
Zip 


e Audio (Locates audio files] 
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All types below 

7-zip file (.72] 

ALZip Archive file (.alz) 
Burrows-Wheeler compressed file (.bz2) 
Unix CPIO Archive file (.cpio) 

GNU compressed files (.gz) 

Java Archive file (.jar] 
Lempel-Ziv-Markov chain Algorithm compressed file (.lzmal] 
object's data stored to an archive file 
macOS installer package (.pkg) 

Roshal Archive file (.rar) 

Stuffit format files (sit, .sitx, and .sea] 
Tape archive format (.tar) 

Uuencoded file (.uue) 

Windows Imaging Format file (.wim] 

XZ Compressed Archive [.xz] 

PKWare based zip file (.zip] 
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Databases (Locates these database file types] 


ALL All types below 
db Database file (.db) 
sql SQL Database file (.sql) 
sqlite SQLite Database file (.sqlite] 
Disk Images (Locates these disk image file types) 
ALL All types below 
aff4 Advanced Forensic File Format [.aff4] 
dmg Apple Disk Image (.dmg] 
img Macintosh Disk Image (.img) 
iso ISO-9660 standard image [.iso) 
sparsebundle Apple Sparse Bundle (.sparsebundle] 
sparseimage Apple Sparse Image [.sparseimage] 


Emails (Locates these types of email) 
Apple Mail .eml, .emlx 
Outlook 2011 for Mac  .olk14message, .olk14msgsource 
Outlook 2016 for Mac .olk15message, .olk15msgsource 
Outlook for Windows .ost, .pst 


Folder (Locates all folders and directories) 
iWork (Locates these iWork Office file types] 


ALL All types below 

Keynote iWork Keynote [presentation] files (.key] 

Numbers iWork Number (spreadsheet) files (.numbers] 

Pages iWork Pages (word processor) files (.pages] 
Office Documents (Locates these Microsoft Office file types] 

All All types below 

Excel Microsoft Excel files (.xls, .xlsx] 

PowerPoint Microsoft PowerPoint files (.ppt, .pptx) 

Word Microsoft Word files (.doc, docx] 


PDF (Locates all .pdf files) 
Pictures(Locates these picture file types] 


ALL All types below 

BMP bitmap raster graphics image file format (.bmp) 

GIF Graphics Interchange Format [.gif) 

HEIC High Efficiency Image File Format (.HEIC] 

JPG Joint Photographic Experts Group format (.jpg, .jp2, .jpeg) 

KDC Bitmap image formate used by several Kodak digital 
cameras [.kdc] 

PNG Portable Network Graphics (.png) 

PSD Adobe Photoshop (.psd) 

TIFF Tagged Image File Format [.tif, .tiff, .tif/tiff) 

XBM X BitMap, a plain text binary image format (.xbm] 
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e Plists (Locates .plists file types] 
e Videos (Locates these video file types] 
Multimedia container format defined by the Third Generation Partnership Project 
(.3gp, .392) 
Audio Video Interleave [.avi] 
Digital video file (.dv] 
Flash Video (.flv) 
Digital multimedia container format (.m4v, .mp4) 
Quicktime file format (.mov) 
Standard for lossy compression of video and audio (.mpeg, .mpg) 
Video Object is the container format in DVD-Video media (.vob) 
Windows Media Video [.wmv] 
Low resolution GoPRO video files (.lrv) 


Extension 


The Extension filter has five modifier options. You can simultaneously filter by more than one file 
extension by typing each file extension into the field to the right of the modifier field, separating 
each with a colon. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


File extensions are assigned to a file by an application or a user. On Mac computers, files may 
not have extensions, or the file extensions may not be visible. 


Content Extension 


The Content Extension filter has the same modifier options as the Extension filter. Filtering by 
Content Extension is based on file signature, rather than on the visible extension within the file 
name. You can simultaneously filter by more than one content extension by typing each into the 
field to the right of the modifier field, separating each with a colon. 


e contains (default) 
e does not contain 
e starts with 

e ends with 


e. IS 
e isnot 
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Extension Matching 


The Extension Matching filter compares file extensions to file signatures. Use this filter to isolate 
files with extensions and signatures that match or don't match. (A user can easily modify a file 
extension, but a file signature is more difficult to modify.) 


The Extension Matching filter has two modifier options. 


e Extensions Don't Match (default) 
e Extensions Match 


Tagged State 


The Tagged State filter has three modifier options. 


e Tagged Files (default) 
e Untagged Files 
e Both Tagged and Untagged Files 


Tag Name 


The Tag Name filter has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 


e is 
e isnot 
Size 


The Size filter has primary and secondary modifier options. Both modifiers must be set for the 
filter to function. After modifiers are set, click Filter. 


First, choose from this list of modifiers. 


e equals 
e islessthan 
e is greater than (default) 


e isnot 
e is <=to 
e is >=to 


Next, type a custom file size in the text field and choose a unit of measure. 


e Bytes 

e KB (Kilobytes] (default) 
e MB (Megabytes) 

e GB [Gigabytes] 
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Owner 


The Owner filter has six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 
e is <=to 
e is >=to 
Group 


The Group filter has six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 

e is <=to 

e is>=to 
Permission 


The Permission filter has six modifier options. 
e equals 

e is less than 

e is greater than (default) 


e isnot 
e is <=to 
e is >=to 
e*t r 
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Dates Created, Modified, Accessed, and Added 


The Date Created, Date Modified, Date Accessed, and Date Added filters have five modifier 
options. 


e is between (default) 
e is before 


e isafter 
e is exactly 
e isnot 


To the right of the date field, click the calendar icon. On the calendar, click « or > to scroll 
through the months. Or, at the top of the calendar, choose a month and year from the drop-down 
menus. Select a number to choose a day of the month. The date text field is populated, and the 
calendar closes. 


To modify the date manually, in the date field click to select a month, day, or year value, and type 
the desired numeric value into the text field. To modify the date incrementally, in the date field 
click to select a month, day, or year value. To the right of the date field, click the up or down 
arrows to increase or decrease the date value incrementally. 


BL ID 


The BL ID is a unique internal file identifier. It is different from the file system ID number. The 
Inspector ID number is generated during ingestion for every file. This is done because some files 
do not have a file ID (deleted files, files from archives, ingested file or folder items). Inspector 
uses this as an internal tracking system. They are only unique for the case file in which they 
reside. The filter option has six modifier options. 


e equals 
e islessthan 
e is greater than (default) 


e isnot 
e is <=to 
e is >=to 
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File System ID 


The File System ID filter option has six modifier options. 


e equals 
e islessthan 
e is greater than (default) 


e isnot 
e is <=to 
e |s>=to 


Folders and files on a volume formatted in HFS or HFS+ are assigned a unique Catalog Node ID 
(CNID). Using the File System ID file filter, you can search for folders and files by a specific 
Catalog Node ID, or within a Catalog Node ID numerical range. NTFS files will use the MFT ID. 


Hash Set 


The Hash Set filter supports positive and negative hash value filtering against one or more hash 
sets. For more information, see Hash Set and File Signature DB Management. This filter has two 
modifier options. 


e Files in Hash Set (default) 
e Files Not in Hash Set 


You can download hash sets from Cellebrite. Inspector can use those hash sets and import 
EnCase (6.19 and lower), NSRL (full), and text-based (one hash value per line, with each line 
separated by a carriage return) hash sets. Additionally, you can create custom hash sets from 
file hash values generated during a case examination. 


The Hash Set filter is available only after you run the Known Files processor on a device in the 
case, using one or more hash sets (bundled and custom]. Each hash set you select before 
running the Known Files processor is available as a Hash Set filter option. 


To create a positive hash filter, which isolates only files with hash values matching those in the 
chosen hash set, choose the Files in Hash Set option and select a bundled or custom hash set. 
To create a negative hash filter, which isolates only files with hash values not matching those in 
the chosen hash set, choose the File Not in Hash Set option and select a bundled or custom 
hash set. 
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Hash Set Category 


The Hash Set Category filter allows for numeric filtering of file hash categories (for hash sets 
with categories, such as PhotoDNA, S21). Hash sets in Inspector can be assigned a number from 
0 through 9. The filter has six modifier options. 


e equals 
e islessthan 
e is greater than (default) 


e isnot 
e is <=to 
e is >=to 


File Hash 


The File Hash filter has five modifier options. 
e contains (default) 

e does not contain 

e starts with 

e ends with 

e is 

e isnot 


You can filter by hash values using all characters of a hash value or by using only part of a hash 
value. You can filter data based on any of these hash values (MD5, SHA-1, or SHA-256). This filter 
only works after you run the Hashes processor on a device in the case. 


List Duplicate Files 


The List Duplicate Files filter option has no modifiers. It shows all duplicate files based on hash 
value. This filter only works after you runs the Hashes processor on a device in the case. 


File Entropy 


The File Entropy filter has three modifier options. 


e High (50.8) 

e Medium (0.5 - 0.8] 
e Low («0.5) 
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Soft Link Path 


You can use this filter to find soft links (symbolic links) created in macOS. The Soft Link Path 
filter has six modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


Hard Link Target ID 


You can use this filter to find files within a Time Machine backup. The Hard Link Target ID filter 
has six modifier options. 


e equals 
e islessthan 
e is greater than (default) 


e isnot 

e is <=to 
e is >=to 
Directory 


The Directory filter has three modifier options. 


e Directories only 
e Files only 
e both directories and files (default) 


Locked 


The Locked filter has three modifier options. 


e Locked files only 
e Unlocked files only 
e both Locked and Unlocked files (default) 


Locked files are write-protected (read-only). A standard user can open these files and perhaps 
copy them to a different location. However, a locked file cannot (under normal circumstances) be 
modified, renamed, or deleted. 
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Resource Fork 


The Resource Fork filter has three modifier options. 


e only files with a Resource Fork 
e only files without a Resource Fork 
e files with or without a Resource Fork (default) 


In macOS, “design element” information is stored in a file's resource fork. “Raw” information, 
Such as text, is stored in a file's data fork. 


Alternate Data Stream 


The Alternate Data Stream filter has three modifier options. 


e only files with an Alternate Data Stream 
e only files without an Alternate Data Stream 
e files with or without an Alternate Data Stream (default) 


Visibility 


The Visibility filter has three modifier options. 


e Visible files only 
e Invisible files only 
e both Visible and Invisible files (default) 


Many system files are hidden in macOS to prevent accidental user modifications. However, users 
can manually hide both folders and files by highlighting the folder or file name and typing a dot 
[.] at the beginning of the name. The Visibility filter does not include files and folders hidden by 
users in filter results. To include files and folders hidden by users in results, also use the Name 
filter modified by starts with . (dot). 


iOS Hidden Item 


The 10S Hidden Item filter has no modifiers. It shows iOS Hidden Items. 
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Metadata Field 


A Metadata Field is based on the metadata Field column seen in the File Information pane. For 
example, a metadata field could be Megapixels, Aspect Ratio, or Skin Tone. Not all files contain 
the same types of metadata. This filter isolates only files containing metadata you specify in the 
metadata field. 


The Metadata Field filter option has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


You can simultaneously filter by more than one metadata item by typing each metadata item into 
the field to the right of the modifier option field, separating each item with a colon. 


Metadata Value 


The Metadata Value filter has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e js 

e isnot 


You can simultaneously filter by more than one metadata value by typing each value into the text 
field to the right of the modifier option field, separating each item with a colon. 


Some metadata items, such as picture aspect ratios, contain a colon in the item name [for 
example, a 4:3 aspect ratio). In this case, the colon symbol must be "escaped" to prevent the 
filter from giving results with "4" and "3" in the metadata. To filter files by metadata values that 
have a colon, add an additional colon. For example, to filter for the aspect ratio 4:3, type 4::3 
into the filter criteria field. 


Metadata Field Value 


The filter combines the Metadata Field filter with the Metadata Value filter. The modifier options 
listed for the Metadata Field and the Metadata Value filters are present in this combined filter. 
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Spotlight Field 


To user this filter, the Spotlight Index must be parsed in Advanced processing options. The 
Spotlight Field filter option has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


Spotlight Value 


To user this filter, the Spotlight Index must be parsed in Advanced processing options. The 
Spotlight Value filter option has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


Spotlight Field Value 


This filter combines the Spotlight Field filter with the Spotlight Value filter. The modifier options 
listed for the Spotlight Field and the Spotlight Value filters are present in this combined filter. 


Internal Filter 


You can select this filter when the File Filter view shows a custom SQL value from the Details 
view (for example, when double-clicking on a bar graph element in the Details - Artifacts view). 
This allows for the data to be sorted, refreshed, and further filtered. If you attempt to select the 
Internal Filter option when building a custom filter, Inspector automatically switches to the List 
All Files filter instead. 
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Snapshot (APFS) / Volume Shadow Copy [NTFS] 


The Snapshot filter works on macOS computers which have the APFS file system. Volume 
Shadow copies exist on Windows NTFS filesystems. The Snapshot/Volume Shadow Copy filter 
option has four modifier options. 


e only files with changes in a Snapshot/VSC 

e only files that exist in more than one Snapshot/VSC (Active partition included] 
e only files that are unique to the Active partition or to a Snapshot/VSC 

e all files 


In either the File Filter view or the Browser view, double-click any file that is—or has—a Volume 
Shadow Copy version, and a separate File History window appears. In this window, all Volume 
Shadow Copy versions of a file can be further analyzed. 


OCR Image Text 


Optical character recognition [OCR] converts text detected in the image into plain text which can 
be indexed and then searched. This process is limited to these image types. 


e pdf 
e tiff 
e bmp 
e png 
e jpg 
e gif 


This filter has these options. 


e Only files with OCR Image Text 
e Only files without OCR Image Text 
e Files with or without OCR Image Text 


Text obtained through OCR appears on the Strings tab in the File Content view after this label: 
kk kkk kK OCR Image Text kkk OK kK 


You can search OCR text with an index search, but not with a content search, as OCR text does 
not exist as plain text. 
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Using File Filters 


In the Component list under Evidence, select a device. On the toolbar, click File Filter. Click + 
Condition or + Group to add a filter criteria row or group. 


This example shows a file filter to isolate all picture file types created after January 1, 2013. 


All vi + condition + (group) 
[ Kind Pictures -, v x 
Date Created. v [is after v| 1/ 1/2013 ~ fe x 


Dlnvert Filter Ignore Folders and Duplicate Files Reset... Save This Filter 


Add the Kind condition and the modifier Pictures - All. Next, add the Date Created condition and 
the modifier is after, then set the date to 1/1/2013. Click Filter. The results show all .bmp, .gif, 
.heic, .jpg, .kdc, .png, .psd, tiff, and .xbm picture file types, further isolated to files created after 
January 1, 2013. 


To suppress folders and file duplicates in the results, mark the Ignore Folders and Duplicate 
Files checkbox. To filter files that match the inverse of the filter criteria, mark the Invert Filter 
checkbox. 


To remove a filter criteria row or group, click X. 
Saving and Managing File Filters 


To save a file filter for later use, click Save This Filter. Type a name for the filter and click OK. 
Inspector saves the current filter settings. Saved filters appear in the Saved Filters list in the top 
right corner of the Content pane. 


Saved file filters also appear in the Inspector Search view and may be applied to further refine 
search results. For more information, see Search. 


To rename or remove a saved filter, in the top right corner of the Content pane click Saved 
Filters » Manage Saved Filters. The User Created Filters window appears. 


e lorename a filter, select the filter from the list, and then click Rename. Type a new filter 
name and click anywhere in the window to escape the text field. 
e Toremove a saved file filter, select the filter from the list, and then click Remove. 


Applying a Preset Filter or Saved File Filter 


To apply a preset filter or a saved filter, in the Saved Filters list, select the filter and then click 
Filter. 


To clear and reset the current filter settings, click Reset. 
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Filtering within Specific Views 


Several views in Inspector include a file filter. The filter options that are available depend upon 
which view is in use. 


C Sticky select r] 


The button changes in appearance such that the arrows are reversed, and a filter pane appears 
in the right portion of the Content pane. When a filter is applied, the Show/Hide Filter button is 
green. 


ES To show or hide the file filter, 
Pone De =| toggle Show/Hide Filter (three 

arrows] at the top right of the 
Content pane. 


B Videos EF Thumbnails 


liil Pictures 


Bd sticky Select Match: Any m 


Ren : 
A Category - A v | is greater: v. |- 
-— d E » 
€ 


on-smal.tiff — sLic 


o 
ees png spiralboo.. .png sims ‘png shia aa: tiff stice 


ATA 


C0b951085..3864  ADDAZI93..jpeg  15338ECI-.jpeg — A0DAZ193..jpeg — A0DA2IS3-.. hei 


o tit stia D tiff 15040757e..8524 


When Show/Hide Filter is black, no 
filter is applied. While at least one 
filter is applied, it is green. 


> [1] 
SEXFS7E. peg  Sbaeesbb.SGc — 3bbe39b.. Thad 


BiHex Strings [Preview EIS 9 Location M Record 
Field Value 
YCBCR Positioning: centered 
Threat Categories 

| Alcohol: 88.840614 
| Chat: 0.001081 
| CSAM: 0.000000 
| Currency: 0.000105 
| pepe 


- . To create a filter for a view, to the 


Data Fork x 


< 
(of 17) - Filtered 


right of Apply, click + (add). In the 
filter field, the default is Any. 
Choose an appropriate filter option 
and set the modifiers. Repeat this 
process to add more filter options. 


To remove a filter option, to the right of the filter, click - (remove). To remove all filters and 
return to showing all files, click - (remove) for each filter, then click Apply. 


This example shows filter options for the Messages sub-view of 


the Communications view. 
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Contacts 3 Email 


Match: All 


Apply + 
ontains - 


Reset... 


lv Any 
Attachments 
Content 
Date 
Date Delivered 
Date Read 
Direction 
Failed 
Message ID 
Participants 
Sender 
Service 
BID 
Subject 
Deleted Record 
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Locating Live Victims 


File Filters 


Using the Inspector Locations and File Filter or Media File Filter features together, an 
investigator may quickly isolate picture and/or video files containing geolocation metadata with 
just a few keystrokes. The investigator may then locate additional picture and video files taken at 
the same location and/or with the same iPhone, iPad, or other camera make and model by 
applying a filter containing specific longitude and latitude coordinates, or the smart device or 


camera model name. 


The Inspector Metadata Field filter 
isolates files containing specified 
metadata attributes (seen in the 
above screenshot, left column). For 
example, choose the Metadata Field 
file filter to ask Inspector to show 
me all the files containing GPS, 
latitude, longitude, and EXIF 
metadata.’ Inspector also has a 
built-in filter, Geo Location, to locate 
data containing Geolocation 
information based on the presence 
of geolocation Metadata Fields. 


The Metadata Value filter isolates 
files containing specified metadata 
values (seen in the above 
screenshot, right column} such as an 
actual longitude or latitude 
coordinate or a specific camera 
make. For example, choose the 
Metadata Value file filter to ask 
Inspector to show me all the files 
containing the latitude coordinate 
[43, 38, 33.21]. 


In this example, we combine a 
geolocation filter in the Media view, 
and the Metadata Value file filter to 
locate pictures taken at the same 
location. 
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Metadata Field 


\ 


Field 

Subject Area: 
Flashpix Versi... 
Color Space: 
Width: 

Height: 

Sensing Meth... 
Exposure Mode: 
White Balance: 
Scene Captur... 
Sharpness: 

GPS 


North or South... 


Latitude: 
East or West L... 
Longitude: 
Altitude Refer... 
Altitude: 
GPS time (ato... 
Reference for ... 
Direction of Im... 


Metadata Value 


/ 


Value 
[1023, 767, 614, 614] 


2048 

1536 

One-chip color area sen 
Auto Exposure 

Auto white balance 
Standard 

Soft 


N 

[42, 5.33, 0] 
Ww 

[B7, 42.97, 0] 
Sea level 
192.27 

[18, 21, 22.65] 
True direction 
41.9 
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Locating Picture or Video Files Created at the Same Location 


To isolate media files containing geolocation metadata, in the Component list under Evidence 
select a device. On the toolbar, click Media. 


To isolate media files containing geolocation metadata, click Show/Hide Filter (three arrows] 
below the right side of the toolbar. 


ort [None z D stioy select v 


The button changes in appearance such that the arrows are reversed, and a filter pane appears 
in the right portion of the Content pane. When a filter is applied, the Show/Hide Filter button is 
green. 


li Pictures B Videos 5 Thumbnails B= Combined J Audio a 


Sort: [None C Sticky Select r] Match: [Any z 


e [ar] E 


id id i re 9& Category -A v | lis greater: v |- 
= foo 
9 o 9 o > 


, &» o o 
spiralboo... png spiralboo.. png  skicon-smal.tiff — sLicon-smal.tiff — skicon-smal.tiff — sl-icon-smal Mff ^ 15040757e.. 8524 


BiHex Strings [Preview Metadata. @ location £ Record Data Fork 
Field Value 
| YCBCR Positioning: centered 
Threat Categories 
| Alcohol: 88.840614 
| Chat: 0.001081 
CSAM: 0.000000 
Currency: 0.000105. 


Is 
(of 17) - Filtered 


To the right of Apply, click + (add). The default filter is File Filter | is | Current File Filter. Click 
Current File Filter and select Geo Location. 


+ 

Match: All S 
Reset... Apply + 

File Filter j| is $!- 
Geo Location $ 


Click Apply to see only media files containing geolocation metadata. 
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^ 


File Filters 


Field Value To find media files containing the same GPS coordinates, in the 
White Balance: Auto white balance Content pane select a file that has GPS metadata. In the bottom 
35mm Focal L... 33 : : ; : 
cans Gantor... Stunted left corner of the Case Window in the File Information pane, GPS 
Unknown Tagl... [4.12, 4.12, 2.4, 2.4] metadata values for the selected file appear in the GPS section in 
pee Le iim — the Value column. Make note of the GPS longitude or latitude 
nknown lagli... one ack camera . ; 
— - value. In this example, we use latitude [43, 38, 33.21]. 
North or South... N 
Latitude: [43, 38, 33.21] On the toolbar, click File Filter. The File Filter view appears. 

East or West L... W 

Longitude: [79, 23, 6.78] T : ; 
—— HÓáÀ At the top of the Content pane, select the existing file filter drop- 

Altitude: 94.8 down menu and select Metadata Value. 
IGPS time (ato... [17, 57, 41] 
feti d = rede A secondary drop-down menu and text field appears. Leave the 
rection of Im... . " P " 
GPS Date: 2014:02:15 default (contains) selected and in the text field, type the 
previously noted longitude or latitude coordinates: 
All + condition + (group) 
Invert Filter Ignore Folders and Duplicate Files Reset... Save This Filter 


Click Filter, and Inspector isolates files containing the defined longitude or latitude coordinates. 
On the toolbar, click Media to switch back to the Media view. To the right of the Apply button, 
click + (add). Inspector configures a second File Filter | is | Current File Filter by default. Leave 
this setting as is and click Apply. 


> 
— 
at 


Match: All 


Reset... Apply + 


File Filter is - 
Geo Location 
File Filter is - 
Current File Filter 


Inspector applies the Metadata Value filter and displays only the pictures containing latitude [43, 
38, 33.21] metadata. 


Mac and iPhone forensic analysts may use the same file filtering technique to isolate files taken 
by an iPhone (or any other camera type). To do so, on the toolbar click File Filter and select the 
Metadata Value filter. In the text field, type iPhone and click Filter. On the toolbar, click Media to 
switch back to the Media view. Click Apply. Inspector shows the pictures containing an iPhone 
metadata value. 
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A second method for locating picture or video files created at the same location is to use the Map 
View sub-view in the Locations view. On the toolbar, click Locations. With the Map View sub-view 
selected, the Content pane displays a map on which data containing geolocation information is 
plotted. 


The map is divided into square regions. When you click a region, it is highlighted in yellow. Data 
from information in that square of the map is listed in the right section of the Content pane. 


@ second caseinspector - n x 
le Edit Action Taos View Manage Window Help 
E EVIDENCE Bl Map View dho Locationtat PWR M Mapping Apps = 
© [Bl B Bennett-Computer-200520501 a E 
* @ Service Date Type ie 
a ACTIVITY o 2019-08-04 01:31:10 (UIC) Picture. 
M EvidencesStatue o o 2019-08-04 01:4006 (UIC) Picture. 
$ Export Status o 2019-08-04 02:0031 (UIC) Pietre. 
o 2019-08-04 02:0032 (UIC) Picture 
5 Tags o 2019-08-04 54955 (UIE) Picture 
% Email o o 2019-08-04 03:4956 (UTC) Picture 
*s Calls e o 2019-08-04 04:5611 (UTC) Picture 
ios o x [3 2019-08-04 045611 (UTE) Picture 
m e 5 - o 2019-08-04 04:5743 (UTC) Picture 
1201 Wee E : © aya 4045748 UO) fiue 
CONTENT SEARCHES w^ 2 LP aAA 26 e 2019-08-04 050025 (UTC) Picture 
i j |» e 2019-08-04 05:0025 (UTC) Picture. 
E INDEX SEARCHES o 2019-08-04 05:0248 (UTC) Picture. 
[3 2019-08-04 05:0248 (UTE) Picture 
E INVESTIGATIVE NOTES 2 w o 2019-08-01 05:0733 (UTE) Picture 
TÈ New Investigative Note 1 E 3 o 2019-08-04 05:0733 (UTC) Picture. 
o 2019-08-04 05:0826 (UTC) Picture 
o 2019-08-04 05:0826 (UTC) 
oo > 2019-00-04 089011 ( 
Field Value e 2019-08-04 06.9811 (UTE) 
EMD: 00147 ^ cus o 2019-08-04 08:09:13 (UTC) Picture 
FlSytem.. 8505707542 P (=) © 2019-4604 80915 (E) Pianure 
Name: 6352FAAd-F225-4062-0615-04 || E e 2019-08-04 09:07:13 (UTC) Picture 
Pathi Usersjesh/Pictures/Photost | Sm _- ys MIN RENE RE YN 
« » = 
20210304.231045-5abde03 (19/23) - [Racer - Data/Users/josh/Pictures/ Photos Library photosibrary/originals/6/6352FAA4 FI25-4A63-515-SAIDSTTIADIEheic 


The Type column reveals the type of data the geolocation was extracted from. Depending on the 
device, location data may be stored in various applications and system files. Pictures and Videos 
contain location data are listed with the type Picture and Video. 


Using the zoom slide-bar, you can focus on specific geographic location. After zooming in on the 
area of interest, apply a filter to display only picture and video files. Double-click on the Latitude 
column to sort the pictures and videos by location. Picture and videos taken at the same location 
are grouped together. When a file is selected in the Content pane, the associated data point on 
the map is changed from blue to pink. The File Content view can be used to preview the file. 


© second ceseinspector 


File Edi Action Tags View Manage Window Help 


E EVIDENCE 


© E B Bennett- Comp 


activity 
MI tvidence Status o 
$ Export Status 
5 mass 
S Emai o 
% calls e 
S sms o €16753547724b605811 e... 
oe? e MG o102Moy 
mea Mov 
CONTENT SEARCHES EENEN 
E INDEX SEARCHES 
E INVESTIGATIVE NOTES »|- 


TÈ New Investigative Note 1 


Oime] E Video ataron v 


Path: /Users/josh/Pictures/iCloud P 
« > 
20210304.231045-5abde03 (16/493) -Fitered - /BOOTCAMP/Users/josh/Pictures/iCloud Photos/Downleads/IMG_0023.MOV 


Map View provides an interactive interface to locate and review pictures and videos of interest 
taken at a location of interest. For more information, see Locations, Internet, and Productivity 
Views. 
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Sorting Media Files by Calculated Skin Percentage 


To sort filtered media files so that files with the highest calculated skin percentage appear first, 
on the toolbar click Media. 


In the top left corner of the Content pane, select the secondary drop-down menu and choose 
Calculated Skin %. 


Inspector sorts the media files, and the media file containing the highest calculated skin 
percentage appears first. This feature is quite useful if there are many media files created at the 
same location. 


Sorting Media Files by Image Analyzer Categories 
When media files are categorized by Threat Category, they can be sorted and filtered by threat 


category. To sort media files so that files with the highest calculated Threat Category value 
appear first, on the toolbar click Media. 


© second caseinspector - u x 
fie Ed Action Tags View Manage Window Help 


à ] 
= 


ZiHex Strings [Preview ^ $ Medis — 9 Location Record Data Fork 


à New Investigative Note 1 


Field Value | 
enn ` 
Ip | 
EE E, 
Path: /Usersljosh/Pictures/Photos | 
a 
TETT | 
DET = le 


C 0f 65,402) - /Racer- Data/Users/jesh/Pictures/Photos Library.photoslibrary/originels/A/A0DA2193-C117-4583-AB1 C-CEE2BFD25CC3.heic 


< 
[20210304.231045-5abde03 


In the Sort field, choose one of these threat categories. 


e Threat Category - Alcohol e Threat Category - Gambling 

e Threat Category - Chat e Threat Category - Gore . 

e Threat Category - CSAM e Threat Category - ID/Credit Cards 

e Threat Category - Porn 

e Threat Category - Swim/Underwear 
e Threat Category - Vehicles 

e Threat Category - Weapons 


e Threat Category - Currency 

e Threat Category - Documents 
e Threat Category - Drugs 

e Threat Category - Extremism 


Inspector sorts the media files, and the media file containing the highest calculated percentage 
in the selected Threat Category appears first. This feature is quite useful if there are many media 
files created at the same location. Image Analyzer threat categories may be more accurate than 
skin percentage. 
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Mapping GPS Metadata Using Google Maps 


To map geolocation metadata, select a file, and at the top of the File Content view, click 
Location. If the analysis workstation is a non-networked machine, a Mercator map with red 
crosshairs representing the file's approximate longitude and latitude coordinates displays along 
with several of the file's actual geolocation metadata attributes and values (i.e., latitude, 
longitude, timestamp, etc.). 


If the analysis workstation has an Internet connection, click Show on Google Maps. A default 
browser window opens and displays (potentially) an address, a street view picture, and a satellite 
view based on the file's GPS metadata. 


Mapping GPS Metadata Using Google Earth 


Files containing GPS information can be selected, exported to a .kmz or .kml file, and mapped 
with the Google Earth application. 


1. Select file(s] containing GPS data, click Action > Export Selected Location Data As, and then 
choose either KMZ or KML format. 

2. Inthe Export dialog box, type a file name and choose or create a destination folder, and then 
click Export. 
Inspector exports the GPS data to a .kmz or .kml file in the destination folder. 

3. Open the .kmz or .kml file in Google Earth. 
Google Earth displays a pushpin for each file. Each pushpin is also listed in the Google Earth 
sidebar Places section. 


We have now located media files that contain geolocation data, isolated the files containing the 
same GPS coordinates, sorted those results by calculated skin tone percentage, and mapped the 
results. 


Remember that media created using any camera with enabled GPS tracking features, such as 
the iPhone and iPad Location Services feature, may contain geolocation metadata. Forensic 
analysts may find geolocation artifacts on a Mac computer if the user attached the camera or 
smart device to the computer. 
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There are two types of Searches. The Content Search feature isolates information according to 
file content such as alphanumeric keywords or regular expressions. The Index Search feature 
isolates information by querying information stored in the Smart Index. Any fields or documents 
that have been indexed can be used to find information of interest. Keep in mind unallocated 
space is not indexed. To find information in unallocated space, a Content Search must be used. 


File Filtering can be used in conjunction with Content Searches to further isolate information. 


This chapter provides these topics about searching in Inspector. 


e Content Keyword Searches 

e Saved Content Search Settings 

e Applying Filters to a Content Search 

e Viewing Content Search Results and Criteria 
e Index Searching 

e Bulk Extraction Searches on Memory Files 


Content Keyword Searches 


To execute a content search, click Add next to Content Searches in the Component list. 


Y EVIDENCE 
v |V E Bennett-Computer-20052... 
v) um Racer - Data 
Y G O Racer 
V & © Bootcamp 
J| @ ©) Bennett-Mem.dmp 


4 [B @ Thee 


Y ACTIVITY 


Bl Evidence Status 


*» Export Status 


CONTENT SEARCHES 
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Inspector names each new search "New Search #" (appended with an incremental number) 
automatically. To avoid confusion, always add a unique and descriptive search name at the top of 
the Content pane in the Name field when defining new search criteria. 


Mane: Reset Soarch Crtana | Saved Searches B 
Search Path Options 

$ Search: Content only B 
Case Sensitive 


E Unicode (UTFI6) 


n Deep Search © 


Ignore Extensions. Keywords Report Only First Hit on File 


Search Al Flos B 


- Import Export * - Import Export Save Search 


Once a content search is created, it is shown in the Component list under Content Searches. 
Double-click a saved search name to rename it at any time during the examination. 


Content searches can be refined to search specified areas of the media. Searches can be 
directed to specific volumes by selecting the volume where it is listed in the Content pane. By 
default, content searches are set to search from the root directory of the volume. 


To confine a search to a specific directory, type or paste the path in the Search Path field. To 
copy-paste a path name, navigate to the device in the Browser view. In the Content pane, right- 
click or CTRL+click on a folder and choose Copy Path. Click Add next to Content Searches in the 
Component list. In the Content pane to the right of the selected device name (under the Partition 
column], double-click the Search Path field and press CMD+V or CTRL+V. To the left of the 
selected device name (under the Partition column), mark the checkbox. Inspector searches the 
selected folder. 
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A secondary method for choosing the areas to search is to use Search Contents from the 
contextual menu. This can be done while from the Browser view. While in the Content pane, 
right-click or CTRL+click on a folder and choose Search Contents from the context menu. 


G B © © B e EN v 


Case Info Details Timeline Report Share Browser File Filter 
Y EVIDENCE < ^ Racer-Data . Users 
M E Bennett-Computer-20052.. Name Date Created Date Mi 
(2 @ Racer - Data localized 2019-08-26 00:26:29 (UTC) 2019-0t 
B @Racer > (jCuest 2015-06-11 23:45:21 (UTC) — 2015-0€ 
E © BOOTCAMP j 10 21:05:54 (UTC) 
g Bennett-Mem.d rss ion 2320:45:55 (UTC) 2019-12 
E) @ © Bennett-Mem.dmp Copy sec 
Ð The6 ^ WR Pas / 3413:39:49 (UTC) 2019-12 
"a — [717:48:22 (UTC) — 2018-01 
arid £F 
Y ACTIVITY q c. 2614:14:12 (UTC) 2016-10 
Bill Evidence Status > L| D To 22 00:47:54 (UTC) 2012-0€ 
> > i. mS 03 20:39:07 (UTC) 2016-0* 
[P Export status —  SaveFile Listing... RTE) 
4 Copy Path 92 18:32:45 (UTC) 2020-0! 
TAGS 4 Quick Look L 16 16:42:10 (UTC) 2009-1: 
> gg, Find Identical Files 7 17:48:22 (UTC) — 2018-01 
CONTENT SEARCHES > Ga Export P 1617:35:11 (UTC) 2017-02 
Reveal P 20 23:04:57 (UTC) 2020-0! 
Y INDEX SEARCHES > DA Tag Files As p 715:44:53 (UTC) 2015-12 
@ i E. n 27 13:38:13 (UTC) 2020-0! 
EN walking dead Calculate Size (UTC! 
[€ Search Contents... 24 14:50:05 (UTC) 2014-0: 
INVESTIGATIVE NOTES > Gc Expand Archive (josh) 19 01:01:24 (UTC) 2020-0! 
> ggg Extract OCR Image Text (josh) fg 01:01:24 (UTC) 2020-0! 
E Add Selected... 
D BD Leve 2419 01:01:24 (UTC) 2020-0! 
> C3Dropbox 2012-08-2123:04:06 (UTC) 2016-12 


A new search window opens with the appropriate partition and search path checkbox selected. 


Partition Search Path 
EFI on Bennett-Computer-190305.E01 $ 
Racer on Bennett-Computer-190305.E01 JUsers/josh 
... Preboot on Bennett-Computer-190305.E01 1 
Recovery on Bennett-Computer-190305.E01 g; 
— VM on Bennett-Computer-190305.E01 if 
^. BOOTCAMP on Bennett-Computer-190305.E01 I 


To search the entire device, leave the Search Path field as it appears with just /. If a path name is 
incorrectly entered into a Search Path field or if the typed path does not exist in the file system, a 
red error badge (!) appears next to the field. Once a valid path name is correctly entered, the 
error disappears. 


Partition Search Path 
.| Josh Bennett's iPhone5 on Josh Bennett's iPhone5 , 
racer on Bennett 14-087-0301 1-Computer.dmg © (Path Invalid) /users/path 


racer - Carved Files on Bennett 14-087-0301 1-Computer.dmg 

Recovery HD on Bennett. 14-087-0301. 1-Computer.dmg 

Recovery HD - Carved Files on Bennett 14-087-0301. 1-Computer.dmg 

BOOTCAMP on Bennett 14-087-0301 1-Computer.dmg 

BOOTCAMP - Carved Files on Bennett 14-087-0301 1-Computer.dmg 
Josh Bennett's iPhone on Josh Bennett's iPhone 3GS 


M 
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Adding Keywords to Content Searches 


In the Content pane at the bottom of the Keywords section, click + (add) and enter a keyword. 
Optionally, in the Content pane in the Regular Expressions section, select the Selected Keyword 
is RegEx Pattern checkbox to save the keyword as a regular expression. For example, to add the 
search term "slim jim" and search for keyword occurrences with either a space or no space 
between "slim" and "jim", add the keyword slim\s{@,1}jim. 


Mark the Selected Keyword is RegEx Pattern checkbox. The new keyword is added as a search 
term and added to the Add Preset drop-down menu as a regular expression preset. 


To add an existing text file containing a list of keyword search terms to a search, at the bottom of 
the Keywords section, click Import. The file for import must be UTF-8 encoded, as other 
encodings may not import correctly. Click Export to save the current keyword search term list to 
a text file for later use. To remove a keyword or keywords from the Keywords list, select a 
keyword or multiple keywords, and click - (remove]. 


Inspector ignores files with a given extension when these extensions are added to the Ignore 
Extensions list. Items are added to the Ignore Extensions list in the same way they are added to 
the Keywords list. 


Regular Expression Presets 
Inspector includes several regular expression presets. Select these presets in the Regular 


Expressions section with the Add Preset menu. You can also edit regular expressions after 
selecting them. 


Social Security Number ^((?1000](?1666)([0-6Ndt23| 
7[0-2][0-9]|73[0-3]|7[5-6][0-9]| 
77[0-1])}-((?!00)\d{2})-((?!0000)\d{4})$ 


UK National Insurance Number. | *[A-CEGHJ-PR-TW-Z]{1} 
A-CEGHJ-NPR-TW-ZI{1}[0-9]{6}[4-DFMI]{0,1}$ 


MAC Address (\dI(La-f] [A-F])){2}:}{5}(\d | (fa-f] LA -F1))(2) 

IP Address \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]7)\. 
25[0-5]|2[0-4][0-9]|[01]?10-9][0-9]?)\. 
25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\. 
25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b 

Email Address A-Za-z0-9. %+-]+(@[A-Za-z0-9.-]+ 
\.[A-Za-z]{2,4} 
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Email Address [Simple] 


([A-Z0-9-_.+%]{1,64}(@([A-Z0-9-.]{1,63} 
\.([A-Z]{2,63}|((XN)]--[A-Z0-9]{1,59})))) 


URL 


International Phone Number 


(((htlf)tp(s?): VV) www. 

[^ ANANAAnNeNCaJI(T912]?10-9)01,2)V) (3) 
[012]?[0-9](1,23 V)LL^ NN; &quot;&lt;&gt; nV) 
(L^. AN, &quot; &Lt;&gt v NveNdIIO 12]?[0-9161,2] 
XJ(3)1012]?[0-91(1,2]) 


^(v«[1-9]10-9]*(NT0-9]*-[0-9]*-])?[0]?[1-9][0-9V- ]*$ 


Valid US Phone Number 


(AAG ANAL E-NINNa3INE33)] A8 (3) 
I-I\.)\df4}(0 E-INJ?(Ee1xt Dod)? C 1-1\.)2\d{4})2$ 


UK Phone Number 


((\+44]}? ?((00]? ?)I(0))( ?00-9)(3,43) (3) 


Valid UK PostCode 


(^[BEGLMNSI[1-9a?)I(^W[2-9]) 
^[(A[IBLIIBIABDHLNRSTIICIABFHMORTVW]ID 
ADEGHLNTY]IEI[HNXIIFIKY]IGILUY] HIADGPRSUXIII 
GMPVI|JEIK[ATWY]|L[ADELNSU]|M[EKL]INIEGNPRW]|O 
LXIIPIAEHLOR]IRIGHMIISIAEGKL-PRSTWY]IT 
ADFNQRSWI]|UBIWIADFNRSVI|YO!ZE)\d\d?)| 
^W1[A-HJKSTUWO-9])I (^WC[1-2]]I 
^EC[1-4]]I(^SW1])[ABEHMNPRVWXY]])(Ns*)? 

[0-9][ABD- HJLNP-UW-Z]{2})}$1(*GIR\s?0AA$) 


US PostCode 


(\d{5}-\d{4}) |\d{5}) 


Canada PostCode 


(?i][ABCEGHJKLMNPRSTVXY]\d 
ABCEGHJKLMNPRSTVWXYZ]\s?\d 
ABCEGHJKLMNPRSTVWXYZMd] 


Date 


^((((02113578])I(1102])) |IV.A-]? 
(0?[1-9]110-2][0-91)L(3[011)])1 

((02(4691) (11) VIN-]?((0?[1 -9]][0- 2100 -91)1(30]]]] 
0?(2]1IVA-T?(0?[1-911[0-2100-91)]][VA-]1A3(2,41$ 


= 


ISO Dates 


^((((1920)((02468]1048]]1(113579][26]]]-02-29]]| 
(20[0-9][0-9])|(19[0-91(0-91])-(CCEOTT -91)] 
0-21)-((o[1 -9]) (1Na)I(2[0-81])] 
((013578])1(1102]])-31]I((CC1,3-91)] 
[0-2]])-(29130])])$ 
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Date and Time ^(?-Xg)(?:(?:31(?1.(?:0?[2469]111]]l 
?:30129)(?!.0?2)| 
29(?-.0?2.(?:(?:(?:1[6-9]1[2-9Nd)? 
?:0[4811[2468][048]I[13579](25]]| 
2:(2:161[2468][048]|[3579][26]]00)})(?:\x201$))| 
?:210-8]|1NadI0?[1-9])])(L-./2:11012]]0?[1-9]M 
?:1[6-9]1[2-9 Nd] \d\d(?:(2=\x20\d}\x201$))? 
((0?[1-91111012])(:[0-5Nd)(0,2)x20[AP]M]]I 
[01]NadI2[0-3])(:[0-5Na)(1,23)?$ 


Time d 


[0]?[1-9]1110-2]):1N.)10-5]10-91(: IN.) E0-51[0-91)? 
J?(AMlamlaMiAmIPMIpmlpMIPm]])I 
0]?[0-911[0-911210-3]) IN.) [0-51[0-93((:1N.)[0-5)10-91)?])$ 


Valid Credit Card A\d{1 23) 1(((413)\d {3})1(511 -5]\d{2}) 

6011])(-2/N040?)(Nat43(-?N040?)] £33] 
(3[4,7Nd(23]((-2IN040?2)N 3463 (-? |N040? Na (531 

34,7 \d{2H (C2 N040?)Na(43(-2N040?) Na (A) (- 28040? (3]]I 
3[4,7Nat13)(-2N040?) (Nat 43(-? N040?]) (33 (30[0-5]Na£ 171 
36138Nd(2])((-2IN040?)Nd (4)(-? N040?) Na (43 (-2 N040?)3(23]I 
(213111800)1(201412149])((-2 N040?Nd (4(- 2I N040?)Na L4) (-2N040?)48(3]) 


Add more expressions to the Regular Expressions Add Preset menu by modifying the 
RegExPatterns.txt file located in the Inspector resources folder. This text file is a simple TSV text 
file. Open the file in a text editor and append the desired expression(s) to the bottom of the file 
using the following format [separate the words with a TAB). 


Name Expression Description Sample 


In the upper right corner of the Content pane in the Options section, click Search and select 
Content only, Content and File Names, or File Names only as necessary. Inspector searches for 


keywords and regular expressions in the contents of a file, in the file name, or both. The Content 
Only option is selected by default. 


Select the following additional search criteria options by activating any or all corresponding 
checkboxes. 


e Case Sensitive 

e Unicode (UTF16) 

e Skip Files Larger Than 

e Report Only First Hit on File 
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Mark the Case Sensitive checkbox to make a keyword search case sensitive. Unmark the 
Unicode (UTF 16) checkbox to ignore unicode or UTF 16 characters. Mark the Skip Files Larger 
Than checkbox and specify a file size to search for files over a specific size. Mark the Report 
Only First Hit on File to stop the search after the first keyword hit. 


When you activate the Deep Search option, Inspector expands container files, archive files, 
database files, multimedia files, etc., so the search function can look inside these files for 
examiner-defined keywords and RegEx patterns. Inspector will also perform a regular ASCII 
search function at the same time to maximize all possible search results from case evidence. 


By default, Inspector deduplicates search hits across multiple Volume Shadow Copies, returning 
a hit on the oldest Volume Shadow Copy version if others have the same hash value. If a Volume 
Shadow Copy and primary file have the same hash, both the primary file and oldest Volume 
Shadow Copy version will be included in search hits, providing the file modification times differ. 


You can change the deduplication setting in the Preferences dialog box for Inspector, on the 
Options tab. For more information, see Inspector Preferences or Options. 


Saved Content Search Settings 


After all search options are set as desired, in the bottom right corner of the Content pane, click 
Save Search to save the current search criteria settings for later use. You can overwrite an 
existing search to replace it, if necessary. 


To confirm the search was saved, in the top right corner of the Content pane, click Saved 
Searches and see whether it is in the list. 


You can edit the Saved Searches list. Click Saved Searches and select Edit Saved Searches. The 
User Created Searches window appears. 


To rename a saved search, click Rename. After you type the new name, click anywhere outside 
the text box or press ENTER. The new name appears in the User Created Searches window. 


To remove a search from the list, select the search, and then click Remove. 


Applying Filters to a Content Search 
You can include a preset file filter or a saved custom file filter as part of search criteria. To do so, 


from the Search view, click Search All Files and choose Files that Match Filter or Files that 
Don't Match Filter. 


In the Saved File Filter list, choose a saved file filter or the current unsaved filter. 
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Filtering Search Results 


After starting a search, you may also apply a view filter to narrow the search results. If the file 
filter is not currently shown, click Show/Hide Filter (three arrows) below the right side of the 
toolbar. Show/Hide Filter changes in appearance depending on whether filters are shown or 
hidden and in use or not. 


To the right of Apply, click + (add), and then click Any. Now you can choose a filter from the list, 
which provides options appropriate for the view in use. Repeat this to add more filters. 


To remove filters, to the right of the specific filter, click - (remove]. 


For more information, see File Filters. 


Viewing Content Search Results and Criteria 


Click Start Search. At the top of the Content pane a progress bar appears. Search results are 
populated as they are found, and Inspector begins displaying the results while the search is still 
in progress. 


To pause or resume a search, on the right side of the progress bar, click the Pause/Resume 
toggle. 


When a search begins, the name of the search and percentage complete indicator appear in the 
Component list under Content Searches. Click the search name to view the search results. 


Y CONTENT SEARCHES 
4 Cars 
« Internet Services 
4 Internet Searches 
« Facebook Addresses 
4 Email Domain 
« Zip Files 
4 URLs 
« Phone Numbers 
4 RFC822 Headers 
« JSON Data 
« IP Addresses 
\ EXIFs 
« Ethernet MAC Addresses 
4 Email Addresses 
4 Internet Domains 
« AES Keys 


4 Deep Search 0.69% 


On the menu bar, choose View > Adjust List Columns and select or deselect column options as 
desired. Selected columns display in the Content pane. The partition column is useful, as it helps 
the examiner identify which device contains a given hit. 
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When you export data using the Export Selected Rows feature, Inspector only exports the data in 
the displayed columns; data in the hidden (unmarked) columns is not exported. 


The exception to this rule is the Contacts sub-view in the Communication. From this sub-view, 
all fields of the contact data, including those seen in the right pane, are included in exports. 


In the upper portion of the Content pane, select a file in the file list. The middle section displays a 
highlighted hit, and a short context snippet for each hit occurrence within the selected file. 
Double-click on a highlighted keyword and Inspector automatically displays the search hit in the 
Hex view of the File Content view. 
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Each hexadecimal search hit is highlighted in orange. In the bottom right corner under the File 
Content view, a Selection # indicator appears, along with the hits sector offset, physical sector, 
logical sector, and cluster start. The Status Bar shows the search hit pathname. 


If more than one search hit is returned, click the arrow buttons at the top of the File Content 
view to navigate through each hit. 


You can select and tag search hits from within the File Content view. For more information, see 


Tags. 


With Hex selected, double-click on a highlighted hexadecimal hit. Inspector automatically 
displays the hit in an appropriate view, such as Media, Internet, and so forth. 


To quickly search for another text string within the returned search results, click anywhere in 
the File Content view, and press your computer's shortcut keys for Find. In the Find window, type 
the desired text and click Find. Any results are highlighted in green. 


Criteria Tab 


At the top of the Content pane, click Criteria to see the criteria used for the search, the searched 
partitions, search settings, keywords (including RegEx), and the ignored extensions. Click 
Results to return to the search results. 


188 


August 2021 Inspector User Guide 


Statistics Tab 


At the top of the Content pane, click Statistics to see search hits for each keyword and total 
search hits, search size and file count, and the search start, end, and total time elapsed. Click 
Results to return to the search results. 


Index Searching 


Inspector provides index capabilities only for allocated files on the file system. These are the files 
likely to be most relevant for prosecution. Smart Indexing can be run during the initial ingestion 
of evidence or later. 


To run during initial ingestion, select the Smart Indexing option when the Evidence item is 
added. To run Smart Indexing after initial ingestion, navigate to Evidence Status and click Run 
next to Indexing. 


Creating a Smart Index Query 


Once the Smart Index is created, Index Searches can be created in the Component list. To add an 
Index search, click Add next to Index Searches in the Component list. 


Y EVIDENCE 


Y @ S Bennett-Computer-20052... 
IET Racer - Data 
S O Racer 
| © Bootcamp 
@ © Bennett-Mem.dmp 
[] O Thes 


Y ACTIVITY 
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*» Export Status 
CONTENT SEARCHES 
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Index Search appears in the Content pane and has areas for these purposes. 
e create and execute the query 


e display a list of files that match the executed query 
e display the highlighted hit 


Mt 


Query Name: [waking dead e|: Type —— Name/Sender Subject Date Created / Sent Participants 
file F406F153C7C1D8618FC4CD... 2020-04-16 16:20:37 (UTC) 
Logic »| | Insert » Run Query 
D file BE74CB8C728D8D906528E.. 2020-04-16 16:20:37 (UTC) 
Walking AND dead 
file 


2020-04-01 00:40:12 (UTC) 


2017-12-04 23:08:06 (UTC) 


file 2019-09-20 15:47:52 (UTC) 
D 2018-10-03 19:18:43 (UTC) 
- fle 2018-10-03 16:40:47 (UTC) 
Suggested Terms: file 2018-07-11 17:01:45 (UTC) 
Term Files Hits file 2018-01-16 13:55:43 (UTC) 
fil 2017-11-29 20:52:55 (UTC) 
file 2015-04-29 00:05:10 (UTC) 
file 2016-04-29 00:05:09 (UTC) 
fie T 2015-04-29 00:05:09 (UTC) 
fih Y 2015-04-29 00:05:09 (UTC) 
E ZA di 2015-04-29 00:05:09 (UTC) 
BLD Hite Context 
304756 1 url" 'walking-dead^) s.os(s.s "cient te" | Walking Dead" "walking dead] cc 
304756 2 tags"]"The Walking Dead «iption"1;walking dead"), s.ge(1) 
304756 3 uri ]/walking-dead")a osta s 'cient*"tite [Walking Dead" “walking dead"])a.pc 
304756 4 tags"]The Walking Dead") psi['r «iption"1;walking dead"), .ge(1) 
304756 5 the-crown’ -Walking Dead- Walking dead" "walking dead--walking-dead" "Homeland", 
ZiHex Œ Swings (Preview Metadata Location d Record © ur B 


s(["title"],"korean")]) ,a.ge(1) )),20749:a.q(a.cw("Pageview",a.o([a.ps(["client","url"], walking-dead"),a.os(a.s,["client","title"], "Walking Dead", "walking 


(1of 11) - /Racer - Data/Users/josh/Láibrary/Containers/com.apple-Safari/Data/Library/Caches/com.apple.Safari/WebKitCache/Version 16/Records/2C789847043C7EES15AEB13B1EAACBE2270F700B/Resource/BE74CB8C728D8) 


Inspector uses an implementation of SQLite for smart indexing. For more information, see this 
page: https://sqlite.org/fts5.htmUfull text query syntax. 


All new Index Searches have the default Query Name Index Search. This is the name that 


appears in the Component list for the search. Below the Query Name field are the buttons Logic, 
Insert, and Run Query. 


Query Name: | Index Search @ 


Logic > Insert > Run Query 


Click Logic to see the logic options. 
Logic 3 AND "ry 


NOT 
Wrap selection with () 


Click Insert to see file metadata contained in the Smart Index that can be used to find data of 
interest. 
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Data extracted by Inspector from inside of container files (like internet, email, or archives) as a 
result of processing are included in the index. These metadata fields are available to query the 


Name / Sender Contains 


index. 

e Path 

e. 

e Subject Contains 
e Participant Contains 
e Type 

e Size 

e Date Created 

e Date Modified 

e Date Accessed 

e Date Changed 
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Query Name: | New Index Search o 


Logic > Insert »| 


Suggested Terms: 


Term Files 


Path Contains ... 


Name / Sender Contains... 


Subject Contains... 


Participants Contains... 


Type 

Size 

Date Created / Sent 
Date Modified 

Date Accessed 
Date Changed 


vwvvx"— Y Y M 


Name / Sender 


AirDrop. Download 
Apple Keychain 
calendar 

call 

contact 

Device Backup 
Device Connection 
file 

fileknowledge 
internetbookmark 
internetcache 
internetcookie 
internetdownloads 
internethistory 
internetsession 
internettopsite 
location 

message 

note 


Spotlight Shortcuts 


Top Contact 
User Account 


You can use the index to quickly find if a particular topic or subject is mentioned in the evidence 


set. Indexing the normalized data will return hits for topics or subjects mentioned in internet 
artifacts, messages and emails, text obtained from optical character recognition (OCR) within 


image files, or within decompressed archive files. 


Indexing can be performed during initial evidence ingestion or performed later from Evidence 


Status. In this case, indexing occurs after all other processing options. 


If indexing is performed before other processes, such as Mail Parsing or Process Archives, once 


the process runs, the newly processed data will be added to the index. It is common to see 


Indexing running in Evidence Status each time new information is processed on indexed devices. 


* 
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To begin building a query, type a search term in the box. Use the Logic operators to combine 
terms and metadata to create a more complex query. Suggested terms appear in in the 
Suggested Terms box as you type, showing the number of hits in the index for each suggested 
term. Once the query is built, click Run Query to see the results. For example, to find 
information related to a user's ApplelD, a query can be created with the word ApplelD. To narrow 
the result to a specific user account, add the metadata Path Contains, entering the user account 
name in the «pathpart» portion after the AND operator. 


106KB 2012-04-25 23:28:45 (UTC) 
106KB 2012-04-25 23:28:20 (UTC) 
90KB 2012-04-26 15:41:13 (UTC) 
9.5KB 2012-04-25 23:28:45 (UTC) 
95KB 2012-04-25 23:28:20 (UTC) 


Sire stings [Preview $ metadata Location gh Record © omar B 
Dear Evan Winch, 


You've entered evwinchégmail.com as the contact email address for your Apple ID. To complete the process, we just need to verify that this email addres 


Verify now » 
https: //id.apple.cos/cgi-bin/WebObjects/IDMSAccount.voa/wa/vetemail?language-US-ENGkey"NDk5Nj g2OTXk42M2ONU1MmMON  VhNzB jM2NRZDE3MWYJNGExYTkSMmJRYNZmZ jew 


'5 a contact email address for an Apple ID accoun t. If you didn't do this, don't worry. Your email address cannot b 


) 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014. 


— 


The results of the query can be seen in the Content pane. Highlight a result in the list of files 
returned and the hit is highlighted. The entire file is displayed in the File Content view with the 
search term hits highlighted. If you highlight multiple files in the list of files returned, multiple 
hits appear in the highlighted area. If the OCR Image Text process was run against the evidence, 
OCR text may be returned as a result. 


Bulk Extraction Searches on Memory Files 


When you run advanced processing options on a memory file, Inspector uses a bulk extraction 
tool to perform content searches, scanning the evidence file for key items of interest. These 
search items are included. 


e URLs e ethernet MAC addresses e email domain 

e phone numbers e AES keys e RFC822 headers 
s lnterneteesrches e email addresses e GPS data 

e zip files e Facebook addresses e EXIFs 

e JSON data e Internet services e Internet domains 
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After advanced processing options have finished running, any bulk extraction content searches 
that yielded results will be shown in the Content Searches section of the Component list, in the 
same location as any user-defined searches. A bulk extraction content search will only be shown 
in the list if one or more results were found for that search. 
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Bulk extraction search results can be viewed and analyzed in the same manner as user-defined 
searches. For more information, see Viewing Content Search Results and Criteria. 


For more information, see Adding a Memory File. 
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This chapter provides these topics about the Media view in Inspector. 


e Analyzing Picture and Video Files 
e Analyzing Audio Files 


Analyzing Picture and Video Files 


The Media view in Inspector displays a thumbnail gallery of most picture and video files on an 
evidence item. This view also displays audio file information. Built-in playback controls allow 
examiners to listen to audio files directly from within Inspector. 


The Media view provides options for sorting through visual media files. Select among the 
Pictures, Videos, or Thumbnails tabs to view those types of files separately or choose the 
Combined tab to view all three types together. 


Picture files and video files are easily discernible from one another in the Media view; video file 
icons are rendered as 4 x 4 mosaics comprised of sixteen frame-sequence slices. 


Note: The picture and video thumbnails do not appear if the video and picture processor has not | 
been run. 


You can preview video files. To see the video file split into sixteen frame sequences and displayed 
as a 4 x 4 mosaic, at the top right of the File Content view, click Thumbs. If you click Video, the 
video file is rendered with playback controls. To play the video, click Play. 


1319...mov 2012-09-01 09.1... mov 20! 1608..mov 2EBD1405-2788-..mov SCOBR6A5-FB7D...mov SAB3EEOF-02A4...mov 8924d0dbd9bcc... 1109 2016-02-23 10.3... mov 


ex = Strings Œ Preview — $ Metadata — Q Location d Record (RMB video | © bor B 


(10f 97) ~ /Racer - Data/Users/josh/Dropbox/Camera Uploads/2010-12-01 13.19.12. 


In the Content pane, select a file and press the spacebar, or click Quick Look (eye button) to view 
the file using Quick Look (Mac only). Quick Look displays native Apple application files (and some 
third-party application files) the same way a user sees them. Audio and video files play within the 
Quick Look view as well. 
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Sticky Select 


To select and tag multiple pictures or videos, in the top right corner of the Content pane, mark 
the Sticky Select checkbox. Click on several consecutive or non-consecutive pictures and they 
all remain selected. 


To quickly select multiple consecutive pictures in a horizontal and/or vertical row, with Sticky 
Select enabled, press SHIFT+PAGE UP, +PAGE DOWN, «RIGHT ARROW, or «LEFT ARROW. A red 
square appears around pictures as they are selected. 


lai] Pictures B videos E3 Thumbnails Bi* Combined f Audio 


Ht 


To deselect a single picture (and additional non-consecutive single pictures) in one of the 
selected rows, release the SHIFT key, press and hold CMD or CTRL, and click on the picture. 


In the Media view, a picture or thumbnail that has been recovered from a deleted file is outlined 
with a red square. 


Thumbnails 


Inspector has the ability to parse thumbnails created for iOS (.ithmb extension), Windows (stored 
in Thumbs.db files) and macOS (stored in Quick Look's thumbnail cache, 
com.apple. QuickLook.thumbnailcache). 


Thumbnails can be viewed in the Media view. Click Pictures/Videos to see all pictures and 
videos, including thumbnails. When a thumbnail is selected in the Content pane, any metadata 
shown in the File Content view refers to the thumbnail, not its source picture file. Also, double- 
clicking a thumbnail picture opens the thumbnail, not its source picture file. 
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In the Content pane, each thumbnail picture is shown with an icon beneath it. 


Thumbs.db 


Hovering the cursor over this icon reveals the path and file name of the thumbnails source file, if 
it exists. It also indicates the database from which the thumbnail is rendered. Single-clicking the 
icon reveals the source file in the Browser view. 


If the source file for a thumbnail is no longer on the system, hovering over the icon will indicate 
that the source file cannot be located. In such cases, single-clicking the icon reveals the 
database containing the thumbnail in the Browser view. 
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Thumbs.db 4031.ithmb 4031.ithmb Thumbs.db Thumbs.db 
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Geolocation Metadata 


Picture and video files containing geolocation (GPS) information display with a red placemark 
icon below the bottom left corner of the file icon. Select a picture or video file that has a 
placemark icon. At the top of the File Content view, click Location. A Mercator map, altitude, 
altitude reference, latitude, longitude, and timestamp metadata associated with the picture 
appear. 


lai Pictures B videos EF Thumbnails He Combined Jl Audio. Æ 


Sticky Select ————— 


EiHex Strings [Preview $ Metadata — 9 Location dẹ Record © aaro B 


In the File Content view, click Show on Google Maps. Google Maps launches in a default Internet 
browser window and displays the geolocation information associated with the picture file. 


Export Location Data as KMZ or KML 


Files containing GPS information can be selected, exported to a .kmz or .kml file, and mapped 
with the Google Earth application. 


1. Select file(s] containing GPS data, click Action > Export Selected Location Data As, and then 
choose either KMZ or KML format. 

2. Inthe Export dialog box, type a file name and choose or create a destination folder, and then 
click Export. 
Inspector exports the GPS data to a .kmz or .kml file in the destination folder. 

3. Open the .kmz or .kml file in Google Earth. 


Google Earth displays a pushpin for each file. Each pushpin is also listed in the Google Earth 
sidebar Places section. 


For more information, see Locating Live Victims. 
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Image Categorization with Image Analyzer 


The integration of Image Analyzer into Inspector provides the capability to run image 
categorization across pictures and videos. Image Analyzer is a proven solution with years of 
experience in categorizing images based on the content using machine learning technology. 


Inspector looks for these categories. 


e Alcohol 

e Chat: Detects mobile screenshots of 
messenger applications such as 
Facebook Messenger, Viber, WhatsApp, 
Skype, Telegram, and other chat-based 
applications. 

e Child Sexual Abuse Material (CSAM) 

e Currency 

e Documents 

e Drugs 

e Extremism 


Gambling 

Gore 

ID/Credit Cards 

Maps 

Porn 

QR & Barcodes 

Swimwear/Underwear 

Vehicles: Detects images containing cars (all 
types, such as sedans, SUVs, pickups, etc.], 
trucks, motorbikes, and buses. 

Weapons 


Image categorization can reduce review time by revealing images and videos that match a 
category of interest to the investigation. Examiners can choose which categories to run. 


Image Analyzer is completely integrated with Inspector and requires no Internet connection. 
Improvements to Image Analyzer, including the release of additional threat categories, will be 
provided with new releases of Inspector. You can request new image categories by sending an 


email to support(dcellebrite.com. 


Since Image Analyzer is a learning model, it can be improved when users provide false positives. 
Reach out to Cellebrite to share false positive images. These images will be directly provided 


Image Analyzer to refine the model. 


Image Analyzer can be run during the 
initial ingestion of evidence or later. To 
run during initial ingestion, click the 
ellipses next to Picture Analysis or 
Video Analysis. The Media Analysis 
dialog box appears. 


By default, only Standard Processing is 
selected. To choose all categories, 
click Check All. You can also mark only 
the necessary categories to run. 


Runtime for initial processing with 
Classify Threat Categories selected 
may increase significantly. 
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To run Classify Threat Categories after initial ingestion, navigate to the evidence item of interest 
in Evidence Status. The Play button next to the Pictures and Videos processes is yellow if 
standard processing or other threat categories have been processed. If nothing was processed, 
the Play button is gray. 


When you click Play next to Pictures or Videos, the Media Analysis dialog box appears, where you 
can choose some or all categories to run. 


Video processing in Inspector includes the creation of a 4 x 4 proof sheet containing 16 still 
frames from across the video. This proof sheet is then classified by Image Analyzer. This is much 
less time consuming that providing every frame of the video to Image Analyzer, but still allows 
for more granularity that just providing one frame. Since the proof sheet is composed of 16 
snapshots, the classification results for Videos are not as precise as the classification results 
with Pictures. 


Threat Category results can be seen in the File Information pane or the Metadata tab in File 
Content view. 


fied BiHex Strings [Œ Preview Metadata — Q9 Location S Record 


Alcohol: 87.782722 


Drugs: 0.112860 
Extremism: 0,011549 
Gambling: 0.855617 

Gore: 0.008393 
ID/CreditC... 0.000002 
Porn: 0.036402 
Swim/Und... 0.021036 
Vehicles: 0.193977 
Weapons: 0.101853 


v 


< > - 
20210304.231045-5abde03 (1 of 65,402) - /Racer - Data/Users/josh/Pictures/Photos Library.photoslibrary/originals/3/3E32F876-7E39-45DB-897-6F9066C945F0,jpeg 
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Field Value 
Threat Categories 
Alcohol: 87.782722 


Gambling: 0.855617 
Gore: 0.008393 
ID/CreditCards: 0.000002 
Porn: 0.036402 
Swim/Underwear: 0.021036. 
Vehicles: 0.193977 
Weapons: 0.101853 


of 65.402) - /Racer- Data/Users/josh/Pictures/Photos Librany.photoslibrary/o 
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Images that are classified have a percentage associated with each threat category. An Image 
may be associated with more than one threat category. The exception to this is when an image is 
classified as belonging to one category 100%. In these instances, the image will be classified as 
only the one category. 


Threat Categories 

Alcohol: 0.00% 

Drugs: 0.00% 

Extremism: 0.00% 

Gore: 0.00% 

Porn: 0.00% 

Swim/Underwear: 0.00% 
Weapons: 100.00% 


In Media view, content can be sorted by Threat Category. 
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St... 


In Media view, files can also be filtered by Threat Category. In addition to choosing the Threat 
Category of interest, you can use one of these modifier options. 


e isless than 

e is greater than 
e is between 

e is<=to 

e j|s>=to 


Match: All 


Reset... Apply + 


Category... is >= to - 
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Analyzing Audio Files 


The Media view shows audio file information and cover art (when available), and built-in playback 
controls allow examiners to listen to audio files directly from within Inspector. 


At the top left of the Content pane, select the drop-down menu, and choose Audio. Inspector 
displays a list of audio files, including music files, ring tones, podcasts, and other sound files, 
contained on the selected device. 


D @ rue * Artist Album Year 
© Your song Elton John When We Touch: Fallin’ In Love Songs From... 1970 
45) You Keep Me Hangin’ On Vanilla Fudge ‘Summer Of Love: The Sound Of 1967 1967 
© You Are So Beautiful. Joe Cocker When We Touch: Fallin' In Love Songs From... 1974 
© Windy The Association. Summer Of Love: The Sound Of 1967 1967 
4) We're All Alone. Rita Coolidge When We Touch: Fallin’ In Love Songs From... 1977 
43 Twootus The Beatles Let it Be. 1970 
49 TipleBeep 
© Touch Tone Dial Up 
© Touch Mo The Doors Best Of The Doors [Disc 2] 1969 
49 ToSir With Love Lulu Summer. Of Love: The Sound Of 1967 1967 
€» Timer 
© Three Times A Lady The Commodores When We Touch: Fallin’ In Love Songs From... 1978 
(© The Way | Feel Tonight Bay City Rollers When We Touch: Fallin’ In Love Songs From... 2007 
(© The Unknown Soldier The Doors Best Of The Doors [Disc 2] 1985 

ZiHek strings El Proview Æ Metadata @ Location dh Record ©  DatsFork 


To play an audio file, select it in the Content pane. At the top of the File Content view, click 
Preview and then click Play. On Mac computers only, you can also click Quick Look (eye button] 
or press SPACEBAR to play the audio file. 


After you run the metadata processor, you can see audio metadata in the Information pane. 
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Communication View 


The Communication view includes data from various forms of communication including phone 
calls, messaging, social media, and email. 


This chapter provides these topics about the Communication view. 
e Phone Artifacts 


e Messaging 
e Social Media 
e Contacts 


e Email 


Phone Artifacts 


On the toolbar, click Communication. Of the eight additional sub-views that display, four relate to 
phone call, voice, and video conference data on cellular and Wi-Fi-enabled devices. 


Note: Both iPod touch and iPad devices are Wi-Fi-enabled. Therefore, FaceTime sessions (along 
with other features that connect over Wi-Fi] may be present on both device types. 


In any of the sub-views in the Communication view, select any column heading to sort 
communication records by attribute. 


Calls 


At the top of the Content pane, click Calls. The Calls sub-view displays recent incoming, 
outgoing, and missed phone calls, as well as FaceTime and Skype sessions. 


Data is arranged in the following ^. Calls 9 Messages o Posts 0 Voicemail ® Voice Memos K Favorites B Contacts © Email E 
B * A $ @ Service Direction Type Date Contacts Duration (HH:MM:SS) Status a 
columns: Service, Direction, MS m fea E N mu 
s © Phone Outgoing Phone 2014-10-08 21:53:21 (UTC) <Encrypted Blob», «Encrypted Blob» 00:00:00 Cancelled 
Typ e j D a t e ^ C on ta C t S ] D ura t lon " © iPhone Y incoming ^ Phone 2015-05-22 16:31:25 (UTC) «Encrypted Blob», <Encrypted Blob» 00:00:00 Missed 
© Phone Y Incoming Phone 2015-03-20 22:00:03 (UTC) Unknown 00:00:00 Missed 
an d S tatus © iPhone Y Incoming Phone 2014-10-08 21:30:18 (UTC) <Encrypted Blob», <Encrypted Blob» 00.00.00 Missed 
. © Phone Y Incoming ^ Phone 2014-12-29 17:56:40 (UTC) «Encrypted Blob», <Encrypted Blob» 00:00:00 Missed 
© Phone Outgoing ^ Phone 2014-10-08 21:47:57 (UTC) «Encrypted Blob», 777877/???u?a?'2e 00:00:00 Cancelled 
. p WP Skype Y incoming Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault ) 00:00:07 
T h e S t a t us co Lu mn in d ica t es © Skype Y Incoming ^ Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault ) 00.0007 
@ Skype Y Incoming Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault) 00:00:07 
h h 1 1 © Skype Y Incoming Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault ) 00.00.07 
whether a communication was @ Sepe M Incoming ^ Audio 2012-07-20 13:2430 (UTC) Graham GIBSON ( g-feult) 000007 
" B @ Skype Y Incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault ) 00:00:14 
cancelled, missed, or failed. © e meng judo DNATA uem CBSO (cd) =" 
@ Skype Y Incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault ) 00:00:14 
© Sepe Y incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault ) 00:00:14 
" n B € sype Y Incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault ) 00:00:14 
The Direction column displays -TOEN EEE = 
è 5 @ Skype M Outgoing Audio 2012-07-20 13:26:40 (UTC) Graham GIBSON ( g-fault) 0000:18 
whether a communication was © spe V ugs Aude 20207201326407) Glam GIBSON (6a) onan 
. : A © Skype M Outgoing Audio 2012-07-20 13:26:40 (UTC) Graham GIBSON ( g-fault ) 00:00:18 
Incomuin g oro utg oin g . €) Sepe A Outgoing Audio 2012-07-20 13:26:40 (UTC) Graham GIBSON ( q-fault ) 00:00:18. Y 
ZiHex Strings [Preview $ Metadata Location S Record Data Interpreter ~| [DataFonk — v 
fooooag:] s3 51 4C 69/74 65 20 66|6F 72 6D 61|74 20 33 00/10 00 01 01/00 40 20 20/00 00 06 DB dla " 
. . 000028:| 00 00 00 9 00 00 00 64 00 00 00 0A|00 00 00 7C|00 00 00 02/00 00 00 00/00 00 00 00 ire € 
Names associated with a Güoo4:| o0 09 09 00 00 09 09 00 00 09 0 DB 00 2D E2 25 05 OF FS 00 05 OF E2 00 00 00 00 4F ien 
O00112:| oF Fl OF EC|OF F6 OF E7 OF E2 OF E2/00 00 00 00/00 00 00 00/00 00 00 00 00 00 00 00 UTES 
t t : th d : , dd 000140:| o0 00 00 00/00 oo 00 00/00 oo oo 00/00 oo oo 00/00 00 oo 00|00 oo 00 00,00 00 00 00 ums 
000168:| 00 00 00 00 00 00 00 00 00 00 00 00/00 00 00 00 G0 00 00 00 00 0 00/00 00 00 00 
contact in the device S address 09196:| oo 20 oo 00/00 on 00 oo oo 00 00 0000 oo 00 ooon 00 oo 00,00 00 00 00 00 on oo on E Date/Time 
7 ig 000224:| 00 00 00 00/00 00 00 00,00 00 00 00/00 00 00 00 00 00 00 00/00 00 00 00/00 00 00 00 ome 
/000252:| 00 00 00 00 00 00 00 00 00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00 ide 
book are included In the 1000280: 2000 on 0000 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00.20 00 02 00/00 00 00 DO Caena Dhinkhkit » 
Decimal v| [Go To Positiol] Sector Offset: Ox6F (111) Position: Ox6F (111) Little Endian v 


Contacts column. 


202 


August 2021 Inspector User Guide 


Select a phone, FaceTime, or Skype session file in the Content pane. In the File Content view, 
click Preview. 


The File Content view displays the database file containing raw data for calls, FaceTime 
sessions, and Skype sessions. For iOS devices, this database is the call history.db SQLite 
database file, which contains the last 100 communication records sent or received on the iOS 
device. This is the maximum number of records the call history.db SQLite database can retain 
under normal circumstances. If the 10S device is jailbroken, the database file may be customized 
and may retain more than 100 records. 


Inspector displays communication records deleted by the user or the device's operating system 
in red italic font. 


Voicemail 


At the top of the Content pane, click Voicemail. Voicemail records are displayed. At the top of the 
File Content view click Preview. Select an active voicemail file, and in the File Content view, 
audio playback controls display. Click Play to listen to the voicemail. 


If a voicemail number is associated with a contact in the device's address book, a name appears 
in the Names) column. Unheard voicemail records display with a small blue dot in the Unheard 
column. If an examiner listens to the message from within the Inspector interface, the small 
blue dot remains. 


In the Content pane, highlight a voicemail record and press SPACEBAR. A Quick Look window 
appears and automatically plays the voicemail message. Or, at the top of the File Content view, 
click Preview to display an audio playback interface for the selected voicemail. Click Play to play 
the voicemail. 


Deleted records appear in red italic font. In some instances, a record is displayed twice, once as 
a deleted record and once as an active record. When a caller leaves a voicemail, duplicate 
records may be created. When the user deletes the voicemail, the iOS operating system only 
deletes one of the records. 


Recovered voicemail messages cannot be played. Voicemail messages on iOS are AMR files. 
When a voicemail is deleted, the AMR file is also deleted. Voicemail files on devices running 
older 10S versions can sometimes be carved from unallocated space. However, recovery is 
currently not possible if the device is running iOS version 4 and higher. 
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Voice Memos 


At the top of the Content pane, click Voice Memos. Voice memo details are displayed. Select a 
voice memo in the Content pane, and press SPACEBAR. A Quick Look window appears and 
automatically plays the Voice Memo file. Or, at the top of the File Content view, click Preview to 
display an audio playback interface for the selected voicemail. Click Play to play the Voice Memo 
file. 


Like deleted voicemail messages, deleted Voice Memo files appear, but do not play because the 
.m4a file is deleted from the file system when the voice memo is deleted. 


Favorites 
At the top of the Content pane, click Favorites to display contacts that a user designates as 


favorites (possibly the most often used contacts). Favorites data is arranged in Name, Address 
(number), and Label (home, mobile, work, etc.) columns. 


Messaging 
Inspector parses and displays these types of message communication. 
e SMS e iChat e WhatsApp e Textfree 
e MMS e Skype e Kik e Tango 
e iMessage e Messages e textPlus 


In the Component list in the Evidence section, select a device. On the toolbar, click 
Communication, then click Messages. Every messaging service that can be parsed by Inspector 
will appear in the main window. 


Inspector displays communication records deleted by the user or the device OS in red italic font. 


A cais —Patessages gly Posts. ap Volcemal $ volca Momos We Favorites Ë] Contacts EB Email E 


» BOs view “conversation Ven 


> Service Direction Date ^ Content Subject Sender Participants Attachment 


gaing 2010-11-29 02638 (LIC) Is A Dog ( (847) 73. 


© ss Outgoing 2010-11-30 19:33:57 (UTCI < A Dog ( (647) 73. 


© sus Outgoing 200-11-39 19:33:57 (UTCI Ha. this is A Dog ( (847) 73. 


2010-30 19/3742 (UTC) A Dog ( (847) 73. 


m 2010-11-30 19:97:12 UTC) — No. A Dag (1847) 736-9281 } A Dog ( (687) 75. 
id — 2010-11-30 19:39:40 (UTC) A Dog ( (847) 75 
rg — 2010-11-30 19:39:40 (UC) 
2010-11-20 18:99:40 (UTC) cAtischrm Self ( (240) 434-6390] 
ig 2010-11-30 19:39:40 [UTC Selt (242) 494-6590 
ag  20X-m-30 wana? (UTE) A Dag t 1467) 736-9287 ) 
ng 2010-11-20 18:44:97 (UTC) W A Dog (1847) 736-9491 } 
2010-11-30 22:50:25 (UTCI 
2o1a-11-34 22:99:28 (UTC) 
iq 2010-11-20 22:59:26 (UTCI Self ( (249) 494-6300] 
id 2010-11-30 22:59:25 (UTCI Sel ( (242) 494-6500) 
rg 200-11-30 280224 (UIC) Hes, 
ira 2010-11-90 25:02:24 (UTCI Ws Self ( (240) 494-6390) 


[ 


2010-11-30 25:05:11 (UTC) 


14847; 657-8132 1 


z0-w-30 230351 (UTC) Nica lars se | (B47) 687-8194 | 


Full Message: 


Ha. this is the fool who left there phone in the car, Mine now 
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To filter messages by contacts, at the top of the Content pane, choose Contacts in the Filter 
field. The default is All messages. To sort messages, click List View and then click a column 
heading by Service, Direction (incoming or outgoing), Date, Content, Subject, Sender, 
Participants, and so forth. 


Message records are easily sorted and tagged using these filter and sort features. In List View, 
selecting a message causes the message contents to appear in the Full Message panel in the 
lower section of the Content pane. 


Note: Messages without text appear in the List View with an empty Content column. | 


In the Content pane, select an MMS message. In the File Content view, click Preview. Items that 
display as Attachment indicates that a file is attached to a message. These may be pictures, 
movies, or other file types, and the type will be indicated next to the word Attachment. For 
instance, an attached image would show «Attachment - image/filename» in the Content column. 


You can see a message as a two-way conversation, the way a user would actually see it on a 
device. At the top of the Content pane, click Conversation View. Picture files display as 
thumbnails, and movie files display with a play icon superimposed over a static thumbnail within 
the conversation. 


Conversation View shows messages using three different conversation bubble colors: green for 
outgoing SMS messages, blue for outgoing iMessages, and gray for incoming messages [the 
same way an iOS device displays them]. The colors are the same for other messaging types. 


Media files may be viewed and/or played [if the file is a movie) in the File Content view using the 
Preview or Quick Look views. 


Scroll through the Hex, Strings, Preview and Quick Look (Mac only] tabs at the top of the File 
Content view to examine SMS, MMS, and iMessage records using different views. Select a 
message containing a movie file. In the File Content view, click Preview. Click Play in the File 
Content view, or click Quick Look (eye button], and the movie plays. 
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MMS movies usually have the file extension of .3gp and are located in the /Library/SMS/Parts 
directory (folder). Use the File Filter to quickly find and view MMS and iMessage movies. For 
more information, see File Filters. 


If iChat Log files are present, they are represented by the messaging service that was used. The 
name of the particular messaging service used will appear In the Service column. For example, 
if AIM was used for iChat, the name AIM will be listed in the Service column. Other iChat 
messaging services include Google Talk and JABBER. 


Select an AIM item in the Content pane. In the File Content view, click Preview. The chat session 
.plist data, created by the iChat application, is displayed. iChat sessions are stored in a .plist file. 


In the File Content view, click Hex, Strings, Preview and Metadata to display iChat data in 
different ways. 


Note: Inspector only shows the first 63 fields (columns) for each database record. If an examiner. 
selects a table with more than 63 fields, a warning dialog appears to let the examiner know that 
some fields (columns) are not displayed. 


Social Media 


Inspector parses and displays communications from several common social media applications. 
In the Evidence section of the Component list, select a device. On the toolbar, click 
Communication » Posts. Select any column in the Content pane to sort. 


Communications from all social media applications are shown together in the Content pane. 
Select an item, and the full text of the message appears in the Full Post display area beneath the 
Content pane. Inspector displays communication records deleted by the user or the device's 
operating system in red italic font. 


The Posts sub-view can show this information, when it is available, about each post in the 
Content pane. 


Service Name of the social media application 
Date Post timestamp 

Post ID The application's ID number for the post 
Title Title text of the post 

Post Body text of the post 

Comment Comment text of the post 
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Media [blank] - No media item was attached to this post 


«Attachment - image» / «Attachment - photo url» - A media item was attached to this 
post 


Author The author of the post 


If the author cannot be identified, this value shows Unknown. 


Media Owner | The media owner of the media attached to the post 


Associated Users associated with the post 

Users 

Comment e For Foursquare posts containing a comment entry, this value identifies the 

Link ID ZFSCOMMENT table row from the Foursquare app's foursquare.sqlite database where 


the comment text was identified 

e For Facebook fragments containing a comment entry, this value identifies the 
ZCOMMENT table row from the Facebook app's Store.sqlite database where the 
comment text was identified 


Media Link |e For Foursquare posts containing a media entry, this value identifies the ZFSPHOTO 

ID table row from the Foursquare app's foursquare.sqlite database where the media 
entry was identified 

e For Facebook fragments containing a media entry, this value identifies the ZMEDIA 
table row from the Facebook app's Store.sglite database where the media entry was 
identified 


Post fragments with an associated picture may have a locally cached version of that picture. If a 
locally cached version exists and is able to be identified, Inspector parses and displays that 
picture in Preview sub-view when the fragment is selected. 


To focus on items from just one application (such as Facebook, Foursquare, Swarm, Twitter, 
Linkedln, or Tango], sort by the Service column or use a filter. To show or hide the file filter, click 
Show/Hide Filter (three arrows) below the right side of the toolbar. Then select the desired filter 
to narrow results. For more information, see File Filters. 


You can see application bundle contents, including available profile information for social media 
applications. For more information, see System View. 
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Contacts 


On the toolbar, click Communication » Contacts. This sub-view shows contacts on a device. 


calls @ Messages fo Posts a9 Voicemail & Voice Memos —— dft Favorites B Contacts © Email £ 
First Last Organization Service 
M 5 (213) 399-2045 [eU (213) 399-2045 
€) Q13399-2045 SMS 
@ (240) 494-6309 Recents’ 
€) 240) 494-6399 iChat 
@ (240) 494-6399 iChat 
| € 240) 494-6399 iMessage 
€) (240) 494-6399 sMs 
| @ (240) 670-2863 Recents 
@ = 302) 524-1522 ae 
€) 302) 524-1522 sms 
€) (406) 927-0003 um 
€) (408) 334-0589 anir 
@ (408) 334-0589 iChat 


On the left side of the Content pane select a contact, and on the right side of the Content pane 
select a contact avatar if one exists. The source image opens to its full size. Contact avatars are 
sometimes cropped or masked. By selecting the avatar in Inspector, you can see the entire 
source image. Tag the image, and it will appear in a report both as a thumbnail and as a full-size 
image. 


Deleted contacts appear in red italic font. 


Records in the Contacts sub-view can be exported as either tab-delimited or CSV files. in the left 
side of the Content pane, select one or more rows of data, open the context menu, and then click 
Export > Export Selected Rows to choose the format (tab-delimited or CSV) and save location. 
All fields of the contact data are included in exports, meaning all data in the right half of the 
Content pane, rather than just the first name, last name and organization fields seen in the 
highlighted row. Contacts with multiple entries of the same type (for example multiple email 
addresses] have those entries combined into a single field on the export, with semicolons used 
to separate entries. 


Phone(s) Email(s) Location Other Data 
(408) 513-1851 max&peoplemovers.net;maxw (2 gmail.com 
(202) 867-8156 pauls@psi.net HomePage:www.psi.net 


Skype ID:makayla shakeit;Bt 
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Email 


The Email sub-view in Inspector supports these email formats. 


e .pst and .ost (Outlook for Windows] 

e general mbox (exported Mac Mail and other platform-agnostic clients] 
e .olk15Message (Outlook for Mac) 

e eml 

e .emlx 

e imapmbox 


For an email to be included in a report and viewable as the user saw it, you must tag the email 
from this Email sub-view. 


1. In the Evidence section of the Component list, select an evidence item. 

2. Onthe toolbar, click Communication > Email. 

3. Atthe top of the Content pane, click Mailboxes and choose a mailbox to view, or leave the 
drop-down set to ALL. 


Unread emails are shown in bold text. Emails that have one or more attachments show the 
quantity in the Attachment Count column. 


A Calls. *9 Messages d Posts 0 Voicemail ® Voice Memos K Favorites B Contacts E Email = 


Mailboxes /Racer - Data/Uxers/josh/Library/Mail/V7. — 


E Gg /Racer - Data/Us../MaiV/V7 (I| $ @ From To Subject Date Sent Size Attachment Count 

E (Bg 98936521-EAC7...0B743F (871) @ Apple Hot News Apple Brings FaceTime to the Mac 2010-10-20 18:00:06 (UTC) 2.8 KB 
Eg] Archive (1) EÐ Apple Hot News Apple Gives Sneak Peek of Mac OSX Lion 2010-10-20 18:00:26 (UTC) 3.0 KB 
(Gi Deleted Messages (10) @ Apple Hot News Apple Introduces iLife '11 with New iP... 2010-10-20 18:01:28 (UTC) 3.1 KB 
os @ Apple Hot News Apple Introduces MacBook Air: The Next... 2010-10-20 18:01:53 (UTC) 3.2 KB 
Bi] Groupon (300) 4  Anple Hot News New MacBook Air ls the Gold Standard f.. 2010-10-22 16:48:29 (UTC) 2.9 KB 


Egi INBOX (479) Mail Properties. — RawSource Attachments 
Egi Junk (0) [ 
B Sent Messages (80) 


Subject: ^ Apple Gives Sneak Peek of Mac OS X Lion 

t Date: Wed, 20 Oct 2010 13:00:26 -0500 

& (Mg 080919ED-246C...980CCB4 (1f Message-ID: <FE3C4BA9-3E5A-454D-966C-443859022288@hsd01 il hsd1 il.comcast net.» 
i RSS (122) 


Apple Gives Sneak Peek of Mac OS X Lion 


Apple today gave a sneak peek of Mac OS X Lion, the eighth major release of the world’s most advanced operating system. Shipping next 
summer, Lion is inspired by many of iPad's software innovations, Features include the Mac App Store, a new way to discover, install and 


SiHex Æ Strings Preview Metadata @ Location M Record Data Fork x 
Field Value 
BBTID: 100500 i 
FileSystemiD: 417830 
Name: 17.embx 
Path: /Users/josh/Library/Mail/V7/RSS/Apple Hot News.mbox/6118A615-2A4A-4FCC-B1A2-B10E84927193/Data/Messages/17.embx 
Size: 3087 
SizeOnDisk: 3087 


To find a keyword within of any parsed mail messages, use the filter on the far right in the 
Communication view. These are filter options for email. 


e Attachment Count 
e Date Sent 


e From 

e Subject 
e Size 

e To 

e Content 
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Filtering by content looks for data within the content of the emails. 


ols 9 Messages e Posts 0 Voicemail ® Voice Memos K Favorites B Contacts © Email 4 
Mailboxes /Racer- Data/Users/josh/Library/Mail/V7 v Match: All v 
= (È /Racer-Data/Us./Mai/V7 (100 $ @ From To Subject Date Sent Size Reset || Apply | [= 
E (Bj 99936521-EAC7...0B743F (871) @ "Josh Bennett" «jben.. 060338... 2010-11-30 19:41:06 (UTC) 392 Bytes Content — v||contsins v||- 
Bg Archive (1) @ “Josh Bennett" <jber i. Hey friend 2010-11-30 23:06:04 (UTC) 458 Bytes stealing 
(Gi Deleted Messages (10) ©) “Josh Bennett" «jben... ve Re: Slim Jim 2010-12-03 19:34:44 (UTC) 2.6 KB 
Eg Drafts (1) @ "Josh Bennett «jben.. oe0338.. 1 more thing 2010-12-26 03:43:33 (UTC) 379 Bytes 
{Gi Groupon (300) < 
lig INBOX (479) Mail Properties Raw Source Attachments 
Bg Junk (0) 2635 ^ 
Sent Messages. From: Josh Bennett <jbennett_mac@me.com> 
li a di Mime-Version: 1.0 (Apple Message framework v1082) 
s: (B 0B0919ED-246C...980CCE4 (1 Content-Type: multipart/alternative; 
ci Gg RSS (122) boundary=Apple-Mail-3--434928308 
X-Smtp-Server: smtp.me.comjbennett mac 
(i Apple Hot News (122) Subject: Re: Slim Jim 
j Date: Fri, 3 Dec 2010 13:34:44 -0600 
X-Universally-Unique-Identifier: b474ee3a-85bb-436a-aee5-c059e339a7fb 
In-Reply-To: <AANLkTi=vY_uDaxbeweykSyTqV=dLesgW-7Fd9a2zNpYh@mail.gmail.com> 
To: jimbo fisher <jimbo.fisher13@gmail.com> 
References: <6F6EEFSA-4C43-41EE-ASCE-F2FF6415FCFA@me.com> <AANLkTi=vY_uDaxbeweykSyTqV=dLesgW-7Fd9e2zNpYh@mail.c 
Message-Id: <26DE51DF-18E7-40E4-S4DB-19421856D701@me.com> 
--Apple-Mail-3--434928308 
Content-Transfer-Encoding: quoted-printable 
Content-Type: text/plain; 
charset=us-ascii 
Nice man. | like that one. It is sleek. Gotta look good while stealing = 
the cars. 
en i " 
EiHex Strings [Preview Metadata — Q Location J Record Data Fork v 
Field Value 
BED: 101597 a 
FileSystemID: 417709 
Name: 291.embx 
Path: /Users/josh/Library/Mail/V7/98936521-EACT-4961-9648-21876308743F/Sent Messages.mbox/6118A615-2A4A-4FCC-B1A2-B10E84927193/Data/Messages/291.embx 
Size: 3020 
SizeOnDisk: 3020 v 


When you select an email in the list, these tabs in the lower portion of the Content pane allow for 
various views of that email. 


e Mail (for a rendering of the email) 

e Properties 

e Raw Source 

e Attachments (to see a list of attachments) 


Choose an attachment, then click Preview in the File Content view. The selected file appears. On 
Mac computers, with the attachment file still selected, click Quick Look (eye button] or press 
SPACEBAR to see the attachment using the Quick Look framework. Email attachments are 
tagged with the email and can also be tagged separately. 


For more information, see Tags. 
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Support for EMLX and EMLX Partial 


EMLX is a Mail Message (Apple Mail Email) file used to store an email message. These are plain 
text files that store just a single email message. EMLXPART files are used by Apple Mail as well, 
but as attachment files instead of as the actual email files. The emails show the typical context 
instead of the header information and the attachments are automatically included. 


A. Calls 9 Messages d Posts. 0 Voicemail ® Voice Memos K Favorites B Contacts © Email = 
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Mr. Bennett, | thought you might also be interested in the following information. 've attached the first page of information from a multi-page description of IP 
addresses. The URL for all the pages is http://computer howstuffworks.com/interneUbasics/question549.htm 
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Subject: Further IP address Information 
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Mr. Bennett, | thought you might also be interested in the following information. I've attached the first page of information from a multi-page description of IP addresses. The URL for all the 
pages is http://computer.howstuffworks.com/internet/basics/question549.htm 
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To render the attachments in the report, you must enable the preference to Create previews for 
tagged email. It is disabled by default because it can slow down generation of very large reports. 
For more information, see Inspector Preferences or Options. 


© second case inspector - o x 
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From godzillin@me.com 

To a.donnie01@gmail.com> Josh Bennettjbennett_mac@me.com 

Subject Mail 

Received Date 2015-12-23 19:30:46 (UTC) 

‘Sent Date 2015-12-23 19:30:39 (UTC) 

Message ID <2F7F73DB-E9FC-4B97-AAF5-EBE89A72DAD0@me.com> 

Body Might be a new place to hang. 

Size 516.4 KB 

‘Source File 3513.partial.emlx 

Preview Mail 
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From g.fault.gibson@gmail.com 

To jbennett_mac@me.com 


Subject Secret 


Received 2012-08-22 12:29:54 (UTC) 
Date 


Sent Date 2012-08-22 12:28:31 (UTC) 
Message ID <CACgOffcWVOFDQL5CdvAnxwa9GjdaGm37sCGGqdTn01Z40GZ_BQ@mail.gmail.com> 


Body Here you go...what you've been waiting for. Usual password. 
G 
Size 13.8 MB 
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Attachment Things.dmg (application/octet-stream) (0 Bytes) 
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From: Taz Zillin <godzillin@me.com> 

To: Donnie Adams <a.donnie01@gmail.com>, Josh Bennett <jbennett_mac@me.com> 
Subject: Mail 

Date: Wed, 23 Dec 2015 11:30:39 -0800 


Message-ID: <2F7F73DB-E9FC-4B97-AAF5-EBE89A72DAD0@me.com> 


Might be a new place to hang. 
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Locations, Internet, and Productivity Views 


This chapter provides these topics about the Locations, Internet, and Productivity views. 


e Locations View 
e Internet View 
e Productivity View 


Locations View 


In the toolbar, click Locations to open the Locations view. The Locations view lets you examine 
this information. 


e Google and Apple Maps usage 

e Geolocation data from media files, calendar and social media apps 

e Wi-Fi network information 

e Additional location services data. This is Apple's definition of location services. 
"Location Services allows location-dependent apps and websites (including Maps, Camera, 
Safari, and other Apple and third-party apps) to use information from cellular, Wi-Fi, and 
Global Positioning System (GPS) networks to determine your approximate location." 


Map View Sub-view 


The default sub-view in Locations is Map View. This view assembles all of the location data 
parsed from the evidence, creating an interactive cluster map. Location data parsed includes 
Google Maps and Apple Maps searches, bookmarks, dropped pins, and old tags, as well as 
media files and calendar items that contain geolocation data. Also, certain social media apps 
contain geolocation data that can be parsed into this sub-view. While each app may store 
different pieces of data, at a minimum, latitude and longitude are parsed and displayed. Based 
on the source app, additional information such as a timestamp, location name and address, and 
other data may be parsed and 

displayed. The map is Mie kem lenia PWs X Mapping toe = 
generated using map tiles mimes Es = 
installed on the system with 
the Inspector installer based on 
OpenStreetMap. All data 
containing geolocation 
information is represented on 
the cluster map by a blue dot. 
Densely populated regions of 
the map also display a 
numerical value indicating the 
number of data items mapped 
in that region. pma «| (Se Post 
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The cluster map lets you zoom in and out using the slide bar on the lower right side. When 
zooming, it automatically focuses on the area of the map centered in the window. To change the 
focus, click of the map window, hold down the mouse button and drag the appropriate region 
into the center of the map. You can do this as necessary until the appropriate region is shown in 
the center of the map. 
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Map tile sizes change when the zoom level changes. Interacting with the map tiles reveals the 
mapped geolocation data. When a map tile is selected, data points mapped on that tile appear in 
the right side of the Content pane. These columns can provide detailed information. 


e Service e Address e Altitude 
e Date e Latitude e Accuracy 
e Type e Longitude e Speed 
e Name e Distance 


The selected map tile is highlighted on the map in the Content pane with the corresponding data 
listed on the right side of the pane. Data points are marked on the map with a blue dot. If a data 

point is selected on the map, the dot changes to pink and the corresponding data on the right is 

highlighted. 
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For a data point on the map, open the context menu, where you can copy the location to the 
clipboard, or show the location in Google Maps, OpenStreetMaps, or Bing Maps. When connected 
to the Internet, choosing an option for showing location opens the selected map in the default 
web browser. 
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Tagging information from Map View tags only the location data. It does not tag the associated file 
or any other file metadata. You can tag the file only in the Browser view. To see the file 
associated with location data, open the context menu from an item in the list, and then click 
Reveal » File in File Browser. 


You can use the Filter pane in the Map View to show geolocation information based on the 
parsed data. For instance, you can create a filter to map only geolocation data extracted from 
Video data. Once a filter is applied, the cluster map shows only the data that meets the filter 
criteria. 
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Location List Sub-view 


At the top of the Content pane, click Location List. The Location List sub-view displays Google 
Maps and Apple Maps searches, bookmarks, dropped pins, old tags, as well as media files and 
calendar items that contain geolocation data. Also, certain social media apps contain geolocation 
data that can be parsed into this sub-view. While each app may store different pieces of data, at 
a minimum, latitude and longitude are parsed and displayed. Based on the source app, 
additional information such as a timestamp, location name and address, and other data may be 
parsed and displayed. 


Select any record in the Location List view, then click Location in the File Content view to see 
one or more offline maps depicting the item's latitude and longitude coordinates. 
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Offline Maps 


Inspector presents a set of static maps based on OpenStreetMap. Select a file that contains GPS 
coordinates and click Location in the File Content view. In the Location tab, you can see an 
offline map with three levels of zoom. You can download additional maps for additional zoom 
capabilities. 
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The zoom is currently set at levels 3, 5, and 8. When additional zoom level tiles are downloaded, 
Inspector increases its maximum zoom accordingly. When connected to the Internet, you may 
also zoom in by clicking Show on Google Maps. 


The default web browser opens to Google Maps, allowing control of the zoom level and viewing 
style. With Inspector, you can export files containing GPS information as a .kmz file or in .kml 


format. 


Select the files containing GPS data, open the context menu, click Export » Export Selected 
Location Data As, and then choose either KMZ or KML format. In the Export window, provide a 
file name, choose or create a destination folder, and then click Export. Inspector exports the 
GPS data to a .kmz or .kml file in the destination folder. To see the geolocation coordinates using 
Google Maps, click Show on Google Maps. (The analysis machine must be connected to the 
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For iOS devices, the Location Data sub-view also displays the consolidated.db file (Location 
Services) contents here: /Library/Caches/locationd/consolidated.db. 


Note: iOS versions 4.3.3 and later no longer store GPS coordinates in this database. 


For Location Services, three data types are displayed: Wi-Fi, Cell and Cell (Local). Wi-Fi 
information is collected from nearby Wi-Fi access points. Cell data is collected from nearby cell 
towers. 


Cell (Local) is data from cell towers the phone connects to. This data may suggest the phone's 
locations over time. Date and timestamp data is not always accurate, however, because Apple 
batch dumps much of this data into this database. Look at the timestamps and notice they are 
often the same. 


Each database record includes the type of Location Service (Wi-Fi or Cell), a UTC timestamp, and 
GPS latitude and longitude coordinates. If Location Services obtained geolocation data from a 
Wi-Fi signal, the Wi-Fi device Media Access Control (MAC) address appears. 


Geolocation data in the Location Data sub-view may be exported from a non-networked analysis 
machine to a networked machine and viewed dynamically using the Google Earth application. In 
the Content pane, use your computer's normal procedures to select a single record, several 
adjacent records, or several non-adjacent records. Open the context menu, select Export 
Selected Location Data As, then choose either KMZ or KML format. In the Export window, 
provide a name for the file, choose or create a destination folder, and then click Export. 
Inspector exports the GPS data to a .kmz or .kml file in the destination folder. 


Wi-Fi Sub-view 
At the top of the Content pane, click Wi-Fi. This sub-view shows Wi-Fi networks that the device 
has joined. Network SSID, BSSID, (signal) Strength, Security (open, WPA2, etc.), Last Joined, and 


Last Auto Joined information is also shown. 


Only networks that the device has joined are listed. Networks that are merely detected and 
shown as available are not part of this list. 
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Internet View 


The Internet view shows files associated with Safari, Firefox, Google Chrome, Internet Explorer, 
and Edge web browsers. This view includes Internet history from Windows and Mac computers 
as well as iOS and Android devices. 


In the Evidence section of the Component list, select a device. On the toolbar, click Internet. 
Internet files appear in the Content pane. By default, Inspector groups Internet log items by 
browser, so Firefox items will be grouped together, as will Safari and Google Chrome items. 
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| 20210304.231045-52bde03 (Tof 60) - /Racer- Dsts/Users/joah/Library/Sefari/Bockmarks.plist 


Inspector shows these items in sub-views. 


Description 


Bookmarks A List of saved web addresses 


Cache Web documents (HTML pages, images) remembered by the user's browser. Pages 
that are temporarily cached by a browser load quickly because data does not have to 
be accessed again from the Internet 


Cookies Files stored by a user's browser from a website that has been opened in the browser 
Downloads List of files downloaded using a browser 
Form Data Personal data stored in an unencrypted database. May include credit card information, 


usernames, passwords, etc. 


History A list of websites that have opened in a browser 
Last Session A list of websites that opened in Safari during the last browser session. Used for crash 
recovery 


Recent Search A user's most recent searches 


Top Sites Safari's visual representation (thumbnail images] of Internet history 
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These items are often stored as either a .plist file, within an SQLite database file, or /NDEX.DAT 
files (in the case of Internet Explorer]. 


In the Content pane, select an Internet cache item. At the top of the File Content view, click 
Preview. Cache file contents (including cached pictures when available) display. 


Inspector includes analysis support for these browsers. 


Microsoft Internet Explorer v5 - 9.0 Client UrlCache MMF Ver 5.2 

Microsoft Internet Explorer v10, v11, Edge Extensible Storage Engine (ESE) database 
Mozilla Firefox v3 - 70 SQLite and Cache Map 

Google Chrome v0.2 -78 History and Cache 

Apple Safari Mac OS X v1 - 13.0.3 Binary/XML History and Cache.db 


Productivity View 
On the toolbar, click Productivity. The Productivity view has two sub-views, Calendar and Notes. 


Calendar Sub-view 


At the top of the Content pane, click Calendar see calendar events and notes from the Calendar 
application (for macOS and iOS). 


Calendar events are displayed with time zone information. If Floating appears in the Time Zone 
column, the event is set to adjust the time zone automatically according to the devices clock. 
Notes associated with calendar events are displayed. They may contain contact names, phone 
numbers, directions, and so forth. 


Deleted calendar items appear in red italic font. 
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Notes Sub-view 


At the top of the Content pane, click Notes to see notes stored with the Notes application (for 
macOS and iOS) and the Stickies application. 


The Notes app on macOS and iOS has two storage options. Depending on the version of macOS 
and iOS, notes may be stored in notes.sqlite or NoteStore.sqlite. Notes can be stored locally on 
the device or in iCloud. iCloud notes are synced across devices that use the same iCloud 
account. 


The notes from the Stickies app are stored in ~/Library/StickiesDatabase. 


Inspector parses notes from notes.sqlite, NoteStore.sqlite, and StickiesDatabase. Data is parsed 
into these columns in the Content pane. 


e Date Created 
e Date Modified 


e Title 
e Summary 
e Account 


e Source/Folder 


The Source/Folder column indicates where the note came from. Notes can be synced using 
Google and Microsoft Exchange. These are shown along with iCloud notes and locally stored 
notes. For data stored in Stickies, the Account and Source/Folder fields are empty. 


Parsed data can be sorted using any of the Content pane columns. When a note is selected from 
the list in Content pane, the note text appears in the Note Body section of pane for notes stored 
in notes.sqlite and NoteStore.sqlite. 


If a note has multiple attachments, you can see those attachments in the Note Body section. You 
can see the content of attachments by clicking on an attachment and viewing it in the Preview 
tab. You can see the content in the other tabs as well. 


When you tag a note, any attachments that are part of the tagged note are automatically 
included. 


Inspector displays deleted Notes records in red italic font. 
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With an item selected in the Evidence list, only the sub-views appropriate for the type of item are 
available. 


This chapter provides these topics about these sub-views in the System view in Inspector. 


e Registry 
e Spotlight 
e Dictionary 


e Applications 
e System Logs 
e Memory 


Registry 


The Windows Registry page on Wikipedia, https://en.wikipedia.org/wiki/Windows Registry, 
provides this information about the Windows Registry (as of April 2021). 
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft 
Windows operating system and for applications that opt to use the registry. The kernel, device 
drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The 
registry also allows access to counters for profiling system performance.... 
There are seven predefined root keys, traditionally named according to their constant handles 
defined in the Win32 API, or by synonymous abbreviations (depending on applications): 
e  HKEY CLASSES ROOT (HKCR) 
e  HKEY LOCAL MACHINE (HKLM) 
e  HKEY CURRENT. CONFIG (HKCC) 
e  HKEY USERS (HKU) 
e HKEY CURRENT USER (HKCU) 
e  HKEY PERFORMANCE DATA (only in Windows NT, but invisible in the Windows Registry 
Editor) 
e  HKEY DYN DATA (only in Windows 9x, and visible in the Windows Registry Editor) 
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To see Windows Registry files in Inspector, first select a Windows device in the Evidence section 
of the Component list. On the toolbar, click System » Registry. Inspector shows Registry keys 
hierarchically by root-level hives/files. 


HE Registry Q, Spotlight B Dictionary X Applications B System Logs = Memory 


“Til Significant ShellBags +|- 


Key Name Value Count Last Write Time | Name Type 
5 BOOTCAMP VSC 2) A|| \?\Volume{003cdecé-9e2e-11¢6-bd8e-7ed1c3dcc330} REG BIN ^ 
& &HKM o 1601-01-01 00:00:00 (UTC) Vi Wolume(021d5819-5b57-11e5-ad17-806e6f6e6963) REG BIN. 
a @sam D 2009-07-14 04:45:46 (UTC) Vi Wolume[0462ed71-7572-118-b019-Tedic3dcc330) REG BIN. 
& SECURITY D 2018-07-11 17:18:48 (UTC) | \?2Wolume{ Icdeebad-f838-1 1e5-bd12-e53616°7d78e) REG BIN. 
8; (EP SOFTWARE D 2018-06-21 17:46:32 (UTC) VihWolume[2897d4c9-47f1-11e6-2b23-fdc27028108e] REG BIN. 
© €)svsrtM o 2018-07-11 17:18:35 (UTC) |. \AVolumef2c1b16bb-909e-11e6-a9e9-83811146fb8f) REG BIN. 
E 9 ActivationBroker. o 2018-06-21 17:46:32 (UTC) \PAVolumef2c1b16ca-909e-11e6-a9e9-83311146fb8f} REG BIN. 
i$ (9 ControlSet001 0 2018-06-21 17:46:34 (UTC) l|  VrAWelume(2c5fe03b-9217-11e5-b84c-afO3c3c9c2ba) REG BIN 
© E) DriverDatabase. 5 2018-07-11 17:30:48 (UTC) \PAVolume{480110b8-2ffe-11e5-9e93-9e34c8bca2d2} REG BIN. 
©  HardwareConfig 2 2018-07-11 17:18:35 (UTC) |. MAVolumețáfc1d384-d99c-11e5-821c-Bed5942a608e} REG.BIN. 
5 @input D 2018-06-21 17:46:33 (UTC) |. VNelumet4fc1d38b-d99c-11e5-821c-Bed5942a608e] REG BIN. 
S (Keyboard Layout 0 2018-06-21 17:46:33 (UTC) | n 'eldfc1d392-dO9c-11e5-821c-Bed942a608e) REG BIN. 
B @Maps 1 2018-06-21 17:55:52 (UTC) V olume[5c58e230-25e9-11e7-b00f-7cdlc3dcc330) REG BIN 
4 Vi Wolume[ScSBea5b-25e9-11e7-b00f-Tedic3dcc330) REG BIN. 
2 2018-06-21 174633 (UTC) |. VAVolume[63545cea-c394-11e6-8c05-fb74642d7991) REG BIN 
D 2018-06-21 17:46:33 (UTC) v | Vi Wolume[63545cef-c394-Tle6-8c05-fb7464247991) REG BIN y 
LI E 
BiHex  BiStings Cro  d&Metadata — Q Location — A Record Data Fork — v 


View In External Application. 


Reveal File On Disk 


Windows Registry files often contain important forensic evidence such as usernames and 
passwords, Internet browser artifacts, recently accessed files, installed applications, uninstalled 
applications, etc. They have two basic elements: keys and values. Keys are container objects that 
are similar to folders, and values are non-container objects that are similar to files. 


The Registry is full of places to look for important data. One of the simplest ways to locate the 
data is by searching the Registry for a value or a key or both. The Find option allows you to 
quickly search keys, values, and data. It is possible to keep searching for the next occurrence of 
a specified text string. 


Use the Find keystrokes for your computer's operating system to open the Registry Find dialog 
window. This searches through every Registry item beginning with the currently selected 
Registry key. 


By default, the Registry sub-view displays the most common root keys and sub-keys. You can 
view additional Registry keys, including those that contain backup Registry files, Registry logs, or 
incremental updates that may or may not contain relevant data. 


To see all Registry items, at the top of the Content pane, click All. Inspector shows every 
Registry file on the system. All files except the key files appear under the Other root key. 
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You can also see an abridged Registry key set. At the top of the Content pane, click Significant. 


Unlike the All tab, the Significant tab shows only keys that most often contain important forensic 
evidence, such as usernames, passwords, and browser history. Hover over a Registry item in this 
view, and a tool tip appears with information about the item. 


Y @NetworkCards 


| Maintains a list of network adapters; the list is held in numbered subkeys. | 
Y umman — 


2015-06-12 11:51:21 (UTC) 


9} 59439476E3A00F9FAE49DD6C1A78F2F6288A5B9 
Cp1AeF1 O9ABACEEACA1F898708DBBOFBAGEF0587FC 
(p1FCF3C93707C46 D648FOBOOE216A55E96DEB5A17 
€»277F1 5EO6EGEEB458048F41BCB8FB843B3241E95 
Æ 3D6DDDCF8961C8C866F6660579A59B5B6CFA281F 
[9] 551732BB0872DA97E26385C221B172ASBD4DE93C 
(C9 57AFA39B22ADEC4E383572£9331167546EB3C9C7 
(CP SBEF08C10896D86DC13394FFA758745648700368 
@742c81 BDA52EA9F1BBE482DA6DAA17944652B476 
(C9 75E64992A03EC5E73D33586790CC506561 DCC5DB 
(C9 969EFE1D5E95B01D3C42B9D0363FA64AF9E336E7 
Æ 9EBC96DD99F2C854D540FBF6A16A557BADDBC228 
(69 A5E73046BA905B7B0235AB40FA98A4ESAB96EO0E 


2015-06-12 11:52:32 (UTC) 
2015-06-12 11:51:39 (UTC) 
2015-06-12 11:54:38 (UTC) 
2015-06-12 11:52:11 (UTC) 
2015-06-12 11:51:33 (UTC) 
2015-06-12 11:52:12 (UTC) 
2015-06-12 11:52:32 (UTC) 
2015-06-12 11:52:32 (UTC) 
2015-06-12 11:52:11 (UTC) 
2015-06-12 11:51:34 (UTC) 
2015-06-12 11:51:58 (UTC) 
2015-06-12 11:51:59 (UTC) 
2015-06-12 11:51:23 (UTC) 


c'eoococoosooososooo 


(CP ABCCA6C3F97A148D7C69114CB55DFA9D46053BEA 2015-06-12 11:50:50 (UTC) 


You can add items to the Significant view. Click your choice of Default, ALL, or Significant 
sub-views. Select an item in the list and click + (add) in the top right next to Add/Remove From 
Significant Items. Navigate to the Significant view if not already there. The added item is shown 
at the bottom of the list of Registry items. To remove an item from the list, select it and click 

- (remove) in the top right next to Add/Remove From Significant Items. Preset Registry items 
cannot be removed from the Significant list. 


Shellbags 


Shellbags are a type of Windows Registry key that may provide useful information, including a 
user's display preferences for a folder, timestamps for when a folder was first visited and last 
updated, and sometimes information about deleted folders. 


In the toolbar, click System » Registry » ShellBags. 


Al Significant ShellBags 


Name Type Bag Path Slot Created Date Field Value 
& (Bg @ BOOTCAMP (WSC 1) ei Path | Desktop\My Computer (This PC)Unkno., ^ 
zi Gg QD BOOTCAMP (Active) 
a josh Last Write Date | 2018-06-21 17:55:36 (UTC) 
© Bg (D SheNBagMRU 
© Desktop TypelD 31 
© Bg D Control Panel (Category View) System Folder BagMRU\O 1 
5 B (D My Computer (This PC) System Folder BagMRUM B Extension Blocks 
a aD Volume BagMRU\N0 6 Signature  OxBEEFOO04 
m (Bg (D) Unknown CLSID: f0d63(85-37ec-.. Root Folder GUID — BagMRU\I\1 8 Size 80 
(Gj KD Unknown CLSID: 088e3905-0323.. Root Folder: GUID BagMRUVMO 171 Version Offset 22 
m Bg D) Unknown CLSID: 939ce936-01d2.,. Root Folder: GUIO — BagMRUVMI — 173 ' Version 9 


a ma Volume BagMRU\N2 32 OS Version 8.1 
a Gg DNeus 5 Root Folder MTP D.. BagMRU\\3. 43 System Identifier 2E 
a G@MNewss Root Folder: MTP D.. BagMRU\N\4 63 MFT Entry Number 3325 
& GgéDNexus S Root Folder: MTP D.. BagMRU\I\5 — 71 MFT Sequence Number | 7 
LI CN Volume BagMRUVNG — 5 | File System NTFS 
a Gp Dcos Volume. BagMRU\N7 — "s Long Name Uploads 
© (gj D Unknown CLSID: 24ad3ad4-a569... Root Folder: GUID BagMRU\1\8 169 Localized Name Upload 
& iCloud Photos Directory. 2017-03-30 15:54:12 (UTC) Date Created | 2017-03-30 15:54:12 (UTC) 


BagMRU\I\8\0 — 192 


BagM 0 193 | Date Accessed | 2017-04-20 16:52:12 (UTC) 
BaoMRU\N9 — 170 S 


Cx Pi Deskton. Root Folder: GUID 


L haine al Abbett 
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Available shellbag information appears in the left pane. Select one of the folders in the list to see 
metadata pertaining to the shellbag in the right pane. Metadata is also shown in the File Content 
view if the Metadata tab is selected. 


You can apply Filters to the shellbag data by clicking Show/Hide Filter and applying filter 
parameters. Individual items or groups of items can also be tagged. 


Spotlight 


Spotlight is the Apple's indexing tool built into macOS and iOS. Spotlight data is stored at the 
root level of any volume that has touched a macOS system. This is known as the System Level 
store and contains metadata for files on the volume. Spotlight may also store indexed file 
content in cache text files located at / Spotlight-V100/Store-V2/<UUID>/Cache. For macOS 
volumes, data is also parsed from the Spotlight stores listed in each user's Library folder. 
Spotlight files on iOS devices, stored in /private/var/mobile/Library/Spotlight/CoreSpotLight, are 
also parsed. 


To see data parsed from Spotlight, in the toolbar click System » Spotlight. 


HF Registry Q, Spotlight IB Dictionary X Applications @ System Logs mm Memory 


SH 


% © Date Updated File Name Display Name Kind Description 
© 2020-05-20 22:40:21 (UTC) 
© 2020-05-20 22:40:00 (UTC) 
© 2020-05-20 22:39:59 (UTC) com apple MobileAsset Proactiv.. com apple MobileAsset ProactiveEvent.. XML document 
© 2020-05-20 22:39:51 (UTC) Safari history item Imr.com/products/how-to-install-s550-cat-back-exhaust-systent 


* @ Key list Index Map Key Value 
-kMDitemContentChangeDate 2020-05-20 22:39:482 
_kMDitemCreationDate 2019-10-08 16:33:18Z 


PGSharingFeatureExtractorRecords.plist 
PGSharingFestureExtractorRecords.plist 


o 


The data contained in Spotlight varies depending on the artifact you are viewing. The Content 
pane is split into two sections. The top portion contains columns of data with information parsed 
directly from the database and data parsed from the Spotlight metadata keys. The first column, 
Date Updated, and the columns all the way to the right (Item ID, OID, Parent OID, and Cache File) 
correspond to data contained in the Spotlight database. Between these columns is the 
information parsed from the Spotlight metadata keys. For example, the Spotlight metadata key 
_kMDitemFileName is displayed in the File Name column. The very last column, Source, contains 
the name of the Spotlight database the information was parsed from. The bottom portion of the 
Content pane lists all of the Spotlight metadata values parsed for each entry. Since Spotlight 
metadata varies, not all metadata items listed at the bottom will have a corresponding column at 
the top of the Content pane. 
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Parsed Spotlight databases on macOS systems typically contain a lot of entries. In the example 
above, there are over 240,000 parsed entries. Filtering can be performed on any of these 
categories. 

e Account Handles e Content URL e Item ID 

e Account Identifiers e Creation Date e Kind 

e Account Type e Date Added e Last Used Date 

e Bundle ID e Date Updated e OID 

e Cache File e Description e Parent OID 

e Content Creation Date e Display Name e Source 

e Content Modification Date e External ID e Storage Size 

e Content Type e File Name e Use Count 


For some Spotlight entries, OID corresponds to the inode of the file listed in the entry. If there is 
more than one record containing metadata for the same file by OID [inode], examining both 
entries can provide insights into how files on the system were changed. In File Filter, a filter by 
FS ID can be used to find the file with the corresponding inode number. 


EE Registry Q, Spotlight Dictionary X Applications 4 System Logs m Memory E 
© date Updated * File Name Display Name Kind. Description. Use Count Last Used Date Creation Date. Content Creation Date — ( 
2020-05-20 23:04:48 (UTC) 0 o Unknown document 2020-05-20 23:04:47 (UTC) 2020-05-20 23:04:47 (UTC) 
2020-05-20 23:04:40 (UTC) 
2020-05-20 23:04:12 (UTC) AddressBookv,. AddressDookev22.abcd.. Document 2014-01-18 16:06:06 (UTC) — 2014-01-18 15:06:06 (UTC) 
2020-05-20 23:04:07 (UTC). Sy properly lit 2020-05-20 23:04:06 (UTC) 2020-05-20 29:04:06 (UTC) 
2020-06-20 23:04:05 (UTC) ADAS: jan... AbAesistantChangelog.a... Document 2014-01-18 15:06:30 (UTC) — 2014-01-18 15:06:90 (UTC) 
2020-05-20 23:08:58 (UTC) comapple:itiap.. comappblessirappliatio.. property list 2020-05-20 23:03:56 (UTC) 2020-05-20 23:03:56 (UTC) 


2016-10-20 10:62:32 (UTC) 2016-10-26 16:62:32 (UTC) 
2014-01-18 22:34:54 (UTC) 2014-01-18 22:34:64 (UTC) 


2014-01-18 22:34:54 (UTC) 2014-01-18 22:34:54 (UTC) | 
2020-04-07 12:51:02 (UTC) 2020-04-07 12:51:02 (UTC) 
2017-11-29 20:68:54 (UTC) 2017-11-29 20:58:54 (UTC) 


2020-05-20 23:03:56 (UTC) B3450E71-70F6-.. B3456E71-70F5-4406-. 
2020-05-20 23:03:55 (UTC) SyncAnchor SyncAnchor 


2019-09-20 16:00:31 (UTC) 2019-09-20 16:00:31 (UTC): 


2020-05-20 23:00:08 (UTC) 
2020-05-20 22:58:48 (UTC) Records.db Records.db Document 2019-09-23 20:40:22 (UTC) 2019-09-23 20:40:22 (UTC) 


To locate Spotlight cache text files, find the entries with data stored in the Cache File column. To 
see the cache file itself, open the context menu on the cache file, then select Reveal ‘Cache File’ 
in File Browser. 


Ei Registry Q. Spotlight E Dictionary XX Applications —— (systemiogs m Memory £ 
Date Updated Kind Description Use Count Last Used Date Creation Date Content Creation Dat 
2020-05-19 21:23:28 (UTC) 2020-01-07 01:00:50 (UTC) 2020-01-07 01:00:50 
2020-01-07 01:0115 (UTC) 2020-01-07 01:01:15 


2020-05-19 21:23:28 (UTC) 
document 2019-08-24 23:05:32 (UTC) 2019-08-24 23:05:32 
Document 2019-08-25 00:55:21 (UTC) 2019-08-25 00:55:21 
Apple MPEG-4 movio 2012-02-06 16:45:20 (UTC) 2012-02-05 16:46:20 


2020-05-19 21:23:14 (UTC) 
2020-05-19 21:23:23 (UTC)  bmtool 
2020-04-14 16:02:01 (UTC) BMW 1 series GT, Parallel P. 


JPE 2018-11-23 21:62:48 (UTC) 2015-11-23 21:62:46 


21:5246 (UTC) 2015-1-23 21:52:46. 


BMW.Info.odg 


-05-26 14:01:43 (UTC) 2016-05-25 14:01:43. 
4:29 (UTC) 2016-05-25 13:54:29 


Copy xc? 2015-09-14 23:09:07 (UTC) 2015-09-14 23:09:07 


2019-10-08 16:20:42 (UTC) bmwoxhaust > 2015-00-14 23:00:07 (UTC) 2016-00-14 23:09:07 
2020-05-19 21:22:20 (UTC) BMWwheel inch, "EL 7 2020-04-16 21:25:38 (UTC) 2018-09-14 23:17:33 (UTC) 2015-09-14 23:17:33. 
2020-04-14 16:02:01 (UTC) BMWwheelr Find Next 3G WdType 20 2019-02-26 13:32:40 (UTC) 2015-09-14 23:17:33 (UTC) 2015-09-14 23:17:33 
2020-05-19 21:23:20 (UTC) BMYe gular, lont 2019-05-21 23:56:63 (UTC) 2019-05-21 23:65:53 


2020-05-19 21:23:28 (UTC) BMYec Save File Listing. 2020-01-07 01:00:41 (UTC) 2020-01-07 01:00:41 


v. Copy Path 2020-01-07 01:01:15 UTC) — 2020-01-07 01:01:15 
x, Quick Look xL 2020-01-07 01:00:45 (UTC) 2020-01-07 01:00:45 
Find Identical Files 


2020-05-19 21:23:28 (UTC) BMYeongSung-f 
2020-05-19 21:23:28 (UTC) BMYac 
2020-05-19 21:23:28 (UTC) BMYeongSung-Regular, 2020-01-07 01:01:15 (UTC) 2020-01-07 01:01:15 
2020-05-19 21:23:14 (UTC) BN Export. > 2019-08-24 23:32:35 (UTC) 2019-08-24 23:32:3£ 


MT Fe on Disk 
File In File Browser 
Koy ^ Ust! Tag Apple Spotlight As > | File In Disk View 


_kMpItemContentChangeDate 2016-05-26 13:54:292 
2016-05-26 13:54:207 


Reveal ‘Cache File’ in File Browser. 


BMMLInfotainment.docx 


-kMOltemFileName. BMW_Infotainment.docx 
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Spotlight is also known to index content such as calendar entries, Evernotes, email, and 
reminders. Snippets of content from these sources can be found in the parsed Spotlight data. 


HE Registry 


Dato Updated File Namo 


2020-05-19 21:28:18 (UTC). texLtcl texticl 
2020-05-19 21:28:21 (UTC) textum. toxtvim 
2020-05-19 24:23:18 (UTC) Text@2xpng Tent@2xpng 
2020-04-27 22:16:20 (UTC) text tt tert ot 


2020-05-19 21:23:17 (UTC) — text al 
2020-05-19 21:23:17 (UTC) te 


Tagging Spotlight Data 


If a Spotlight data entry is tagged in the 


Q Spotlight 


^ Display Name. 


BB Dictionary. X Applications. @ System Logs 3m Memory E 
kind Description Use Count Last Used Date Creation Dato Content Creation Dat 
Document 2019-08-25 01:11:00 (UTC) 2019-08-25 01:11:00. 
Document 1 2019-09-04 02:39:00 (UTC) 2019-09-04 02:30:00 
PNG image 2019-09-17 04:43:50 (UTC) 2019-09-17 04:43:50 
NSStringPboardType 2015-12-07 17:12:04 (UTC) — 2015-12-07 17:12:04. 


nter Nf TIFF image 2019-03-25 02:24:08 (UTC) 2019-08-25 02:24:06 


2019-08-25 02:24:08 (UTC) 2019-08-25 02:24:08 


D 
2018-12-07 172.042 
false 

20 

sor 

378 

true 

134217984 


2015-1-23 22:38:34 
2015-1-23 22:30:31 

false 

2628 
95036521-£AC7-4961-0649-21876308743F 
2015-12-07 17:12:082 

2015-12-07 00:00:007. 

2015-12-07 1742042 

2015-12-07 00:00:002 


top portion of the Content pane, all Spotlight metadata 


values parsed shown in the lower portion of the Content pane are automatically tagged. 


KP Registry 


Date Updated. File Name. 


2020-05-19 21:23:18 (UTC) Text@2xpng Text@2x.png 


2020-05 
2020-05-10 21:23:17 (UTC) 
2020-05-19 21:23:17 (UTC) 


2020-05-19 21:23:17 (UTC) — text align-H. justify S.tif 


Q Spotlight 


^ | Display Name 


text align-H. ju 


sity S.tit TIFF image 


E Dictionary Ç Applications $ SystemLogs zE Memory 


Kind. Description. Use Count Last Used Date. Creation Date Content Creation Da! 


PNG it 


2019-09-17 04:43:50 (UTC) 2019-09-17 04:43:50 
2015-12-07 17:12:04 (UTC) 2015-12-07 17:12:04 
2019-08-25 02:24:08 (UTC) 2019-08-25 02:24:0£ 
2019-08-25 02:24:08 (UTC) 2019-08-25 02:24:06 
2019-08-25 02:24:08 (UTC) 2019-08-25 02:24:06 
2019-08-25 02:24:08 (UTC) 2019-08-25 02:24:0£ 


^ Listindex MapKey Value 


com.applemait 
2015-12-07 17:2:042 
2015-12-07 17:12:042, 


[T 
98936521-EAC7-4951-9648-21878308743F.2 
2247-05-05 0116:18,8713451522 


attachment'13 


E 


Missed your birthday, sorry. Hope it was wild! Guess maybe lIl see you next month with the boys. Drinks on me 
378 

tue 

134217904 


In the Report, the information parsed in the upper portion of the Content pane is shown together, 
followed by a separate table for each Spotlight metadata values parsed for that entry. 


One entry tagged in the top portion of the Content pane can result in numerous tagged items 
since all parsed Spotlight metadata values shown in the lower portion of the Content pane are 


automatically tagged. 


Unfortunately, the reverse is not so easy. If an entry tagged from the top portion of the Content 
pane is removed, the corresponding parsed metadata values in the lower portion of the Content 
pane are not removed from the tag. To remove all of the tagged data, select all of the tagged 
entries in the lower portion of the Content pane, open the context menu, and then click Remove 


Apple Spotlight From Tag Group. 
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Dictionary 


On the toolbar, click System » Dictionary. The predictive text data from the dynamic dictionary 
database is displayed. This database file stores user-entered text strings typed on the keyboard. 
This may include usernames, web passwords and other login credentials, website URLs, and text 
from SMS and email messages. Depending on the device and operating system, these text 
strings may be stored in the chronological order they were typed. 


If a user stored passwords in an unsecured application, such as the Notes application, or 
accidentally typed a password into the wrong field on a login form, the text containing the 
password may be stored in this file. The iOS operating system does not store passwords that a 
user typed into a designated password text field. 


The text in this database file can be used to potentially aid in cracking passwords on the device. 
In the Content pane, select one or more dynamic text entries. Open the context menu and select 
Export as CSV. Select a file export location and click Export. A text file containing all the 
selected words is saved. 


Applications 


There are about 900,000 applications available from the Apple App Store. Inspector provides a 
uniform way to view these applications and application bundle contents during a forensic 
examination. 


On the toolbar, click System » Applications. The Applications sub-view shows a comprehensive 
list of user-installed third-party applications and their icons. Select an application from the list 
at left. The middle pane shows the application bundle contents, and certain application data is 

parsed and shown in the right pane. The data in the right pane may include a username, email 

address, app version, and last login date. 


In the middle pane, when you 


. j . HF Registry Q, Spotlight Dictionary X Applications B System Logs mm Memory Eg 
select a file associated with an TEE FE OOT eme 
application, such as a PDF, oo i03 Secs 8 Pete Pene UR 
" " . e rempl 8$ (Bg. CodeSignature. 2013-04-05 18:15:21 (UTC) 2013-04-05 18:15:21 (UTC) | | p, Value 
image file, or database, the file © ne Aiek Se ees A O yos pee 

" i o a Safari _] Info.plist 2013-04-05 18:04:31 (UTC) 2013-04-05 18:04:31 (UTC) Vendor com.skypeskype 
a p p ears in th e Fi le C O nte nt @ E Samsung CLP-320 & (gjMacoS 2013-04-05 18:15:21 (UTC) 2013-04-05 18:15:21 (UTC) [ES Josh Bennett 

: . i . © E Samsung Scanner Pkglnfo 2013-04-05 18:04:31 (UTC) 2013-04-05 18:04:31 (UTC) | Birthday Saturday, November 22, 1980 
view. To examine th e fi le S USIN g e a Set Info = (Resources 2013-04-05 c) ee ciy iia, 
. i €» B Shareaza 1 I: i Tools 2013-04-05 18:15:21 (UTC) 2013-04-05 18:15:21 (UTC)| 1 Country a 
d iffe re nt yi ews : SC ro tL t h ro u g h -= SES leon 2015-10-01 17:48:52 (UTC) 2015-10-01 17:48:53 (UTC)| i: EA 
: : o pe Languages en 
the Hex, Strings, Preview, o de c EE 
Metadata, and Quick Look (Mac ES Tm = 
only) views at the top of the File Sanae 
Content view. Select a column " = 
P UT BiHex Strings [Preview Metadata — Q Location S Record Data Fork 
heading to sort specific A S Ls vanta. 
application files by Name, Date — e Sing fm Qo 
"a BuildMachineOSBuild String 12C3103 UTF-16 
Created, Date Modified, Date emen m ne cem . 
a CERundleEwecttabla Chinon č Chuma = Little Endin v 
Accessed, Date Added, or Size. E 
e.t 7 
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Applications like Facebook and Skype store contact and conversation data in database files. 


If third-party application information is important, be sure to perform a forensic image 
acquisition (using third party software] or a logical data acquisition when adding iOS data to a 
case. 


System Logs 
In System View, System Logs offers views of File System Logs and Unified Logs. 
File System Logs 


Inspector parses system logs from both Windows and macOS computers. The File System 
Journal Analysis processing option parses the $Logfile, containing disk activity, and $USNJRNL, 
the change journal file, on Windows computers and .fseventsd on macOS. The OS Event / 
Security Logs processing option parses Windows event logs [EVT and EVTX), macOS Apple 
System Logs [ASL], and Unified Logs. For more information, see Adding a Disk Image. 


Once these processing options are run, you can see the results in the System Logs sub-view of 
the System view. 


On the toolbar, click System » System Logs. In the list to the lower left, click System Logs. The 
Content pane is divided into sections. On the left side, the upper pane lists parsed File System 
Logs. The lower pane lists parsed System Logs. The right side of the Content pane shows the 
item selected on the left. 


| File System Logs T||* |@ | Source File ~ Date Fields Flags UID 
2020-05-20 22:28:17 (UTC) message: objc[406]: Class NCISONTransformer is impl... 2 501 


380.asl 20-05-20 22:28:17 (UTC) 
49  20200520.G80.2sl 2020-05-20 22:28:17 (UTC) 
49  20200520.GB0asl 2020-05-20 22:28:17 (UTC) 


HY Registry Q Spotlight B Dictionary X Applications & System Logs um Memory E: 
4)  20200520.GB0.asl 202005202228377(UK) m 


@®  2020.05.20.G80.asl 2020-05-20 22:28:17 (UTC) | 
€)  202005.20.G80.asl 2020-05-20 22:28:17 (UTC) | 
@  20200520.6802sl 2020-05-20 22:28:17 (UTC) | 
€ — 2020.05.20.G80.asl 2020-05-20 22:28:17 (UTC) | 
< \v 
Bptenlese | Full Fields Content: 
UnifiedLog - 
us Imessage: The connection was interrupted, calling interruption handlers 
|SenderMachUUID: 
[facit auth 
[host 
Isender: loginwindow 
BiHexk Æ Strings [Preview $ Metadata — 9 Location Record penas vj 


View In External Application —- 


Reveal File On Disk 
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Unified Logs 


As of macOS 10.12, Apple introduced the unified logs format. This was done to have a common 
log format across all Apple operating systems, including macOS, iOS, watchOS, and tvOS. Unified 
logs are parsed with the OS Event / Security Logs initial processing option or Events/Logs from 
Evidence Status. 


The amount of data stored in Unified Logs is massive. During times of intense activity, 10,000 
records can be added to the logs in a minute. This can result in millions of records in Unified 
Logs. Loading millions of records into Inspector and manually reviewing them could take a 

significant amount of time. Therefore, you must filter Unified Log records for data of interest. 


To see unified logs, on the toolbar click System » System Logs. Then, in the list to the left, click 
UnifiedLog. The Content pane is divided into sections. On the left side, the upper pane lists 
parsed File System Logs. The lower pane lists parsed unified logs. 


Unified Logs do not load automatically. Instead, Inspector presents a message showing the total 
number of records and requiring you to apply a filter to view them. The filter pane automatically 
appears on the right side of the Content Pane. 


EY Registry Q, Spotlight IB Dictionary X Applications & System Logs zu Memory 4 


File System Logs * Date Message LLL Process Path Match: All - 
Reset. || Apply | [+ 
Date v| lis exactly ~| E 
5/20/2021 ~ pa 
Apply filter to view records. 
7,258,326 records. 


System Logs 
UnifiedLog 
ASL 


< 
Full Fields Content: 


Log records can be filtered by these options, parsed for each record. 


e Any (any string) e Process Name e Offset 
e Date e Process Path e Subsystem 
e Type e Sender Name e Category 
e UID e Sender path e Signpost Name 
e PID e Message e Signpost Info 


Filters can be created for records during a timeframe of investigative interest. Dates in Unified 
Logs records are stored in the Inspector database down to nanoseconds, and records appear in 
microsecond precision. Sorting with the Date column shows the records in order by timestamps. 
The Date column is the only sortable column for Unified Logs. 


Unified Logs may contain data regarding time machine backups, time zone changes, external 
media mount and unmount, or connected printer. 


Due to the volume of Unified Log events, they are not included in the smart index. Any USB 
device information parsed from Unified Logs is also added to the Actionable Intel view. 
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Memory 


For the contents of a memory file to be parsed and displayed, advanced processing options must 
first be run. For more information, see Adding a Memory File. 


Once advanced processing has been run on the memory file, the contents can be viewed in the 
Memory sub-view. 


On the toolbar, click System » Memory. 


KI Registry. Q, Spotlight. IB Dictionary X Applications B System Logs m Memory E 
Processes rares Sockets Handles Drives 
‘Switch to flat list view to see the filtered results 
PID parem Siart Time nd Time Path ` 
" D 2017-04-20 10:54:53 (UTC) 
m4 2017-04-20 10:54:53 (UTC) ‘ 
“wo 2017-04-20 18:84:66 (UTC) 2017-04-20 16:54:87 (UTC) 
sa ao 2017-04-20 54:8 (UTC) CAWNDOWS\system32iniogon ese. c 
T 2017-04-20 10:55:00 (UTC) CAWINDOWS system 2 dem ere c 
E asoa 5e 2017-06-20 18/5509 (UTC). 2017-04-20 16:55:32 (UTC) 
asa 864 2017-04-20 16:55:09 (UTC) CIWINDOWSExplorer ERE c 
reer an 524 2007-04-20 5522 (UTC) C:\Program FlesiTunesVTuneselge ee. c 
x) ane 2017-04-20 16:86:37 (UTC). 2017-04-20 18:18:34 (UTC) 
THEE sez ae 2017-04-20 16:56:39 (UTC) 2017-04-20 16:18:34 (UTC) 
7098 sasa 2017-04-20 10:57:27 (UTC) 
wesmoxmvewons EEN 7108 — 706 3007-04-20 18:87:27 (UTC) 
aoa aen 2017-06-20 10:00:41 (UTC) 
ae asa 3017-04-20 18:55:21 (UTC) 
asa 524 2007-04-20 18:48:53 (UTC) 
ama asz 2017-06-20 16:56:22 (UTC) 
so aeos 2007-04-20 18:58:25 (UTC) 
Per Selected Processes: Libraries * Sockets Handles 
asia wem [metere [Oren bie ry pues Tat pon | ae 
aie (Q saa AppleMobiedey 2017-04-20 10:57:27 (UTC) 49056 TCPvA 12700149866. 2700427015 27015 ESTABLISHED 
petii A © sas? AopeWobieDey 20-0420168727(0TC) 16528 UDbvi 12700110528 - © open 
© saz ooleWobieDey 2017-04-20 167:27 (UTC) 16528 UDPva 12700110828 E © open 


Name: Bennelt-Mem dep. 
Path: jBocnett-Mem dep. 
Size: 6163629728. 

SizeOnDick: 6163529728 


(Tof 96) - Bennett-Mem dmo. 


The Memory sub-view provides these deeper views for analyzing memory file artifacts. 


e Processes 
e Libraries 
e Sockets 

e Handles 

e Drivers 


Select one or more processes from the upper pane in the Processes sub-view, and any libraries, 
sockets, and handles associated with the selected processes [like having the same PID) appear 
in the lower pane. To see these artifacts in those views, click Libraries, Sockets, or Handles. 
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Actionable Intel View 


The Actionable Intel view in Inspector allows you to see various types of data points that can 
mostly be attributed to a user's actions. The Actionable Intel view provides a tree style menu with 
sub-view menus. 


This chapter provides these topics about the Actionable Intel view. 


e Device Backups 

e Device Connections 
e Account Usage 

e Downloads 

e File Knowledge 

e Passwords 

e Program Execution 
e Search 

e Activity Correlation 


Device Backups 


In Actionable Intel, Device Backups offers a view of iOS backup folders contained on the selected 
partition, along with the model, phone number, last backup date, OS version, serial number, 
UDID and IMEI. 


To see device backups, on the toolbar click Actionable Intel, then in the menu to the left, click 
Device Backups. 


ee Sees E 


|. D Device Backups (2) > © Name Model Phone Number Last Backup Date OS Version SerialNumber — UDID. 
@ Josh Bennett's iPad... iPad2 2015-02-08 23:01:03 (UTC) 8.13 DLXFKECYDFHW | 25cccübdl 
@ hee iPhone 8 (Model A1863, A1905, A1906, A1907) +1 (240) 494-6399 2020-01-10 20:41:29 (UTC) 133 CEKVKLUXICEN — 72bb6cB4fl 


ads (257) 
(à File Knowledge (559) 
uere (OA 


Exporting iOS Backups 


Select a backup, then click File > Add Selected. 


A message appears to advise that the backup item must be exported and reimported before it is 
available for analysis. Click Continue. 


In the Activity section of the Component list, click Export Status to see the backup folder export 
progress. When the export completes, the Add Evidence window appears, where you can import 
the iOS backup into the case. 
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Mark the checkbox for the iOS backup to be imported. If the backup is encrypted, a lock icon 
appears next to the backup name. Click on the lock icon (next to the backup name in the middle 
column], and a dialog box opens, prompting for the password that was in effect when the backup 


was made. 


iOS Backup Password Needed 


The backup folder (Josh Bennett's iPhone5) is encrypted. 


The iOS backup is encrypted. To decrypt, the backup password that was in effect when 
the backup was made is needed. 


Cancel Confirm Password 


Enter the password and click Confirm Password. Without the backup password, only ancillary 
data is available for collection, such as media and some third-party application data. 


Importing iOS Backups 


In the middle portion of the Add Evidence view, you can edit the Evidence ID field with an 
alphanumeric evidence ID for the iOS backup folder. 


Choose the ingestion options and click Start to begin the import. 


In the Activity section of the Component list, click Evidence Status to see the progress of 
importing the backup folder. When the import completes, the backup folder, along with the 
backup folder name and device-appropriate icon, appear in the Evidence section of the 


Component list. 


For more information, see Managing Case Evidence. 
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Device Connections 


In Actionable Intel, Device Connections offers a view of all devices previously connected to the 
source computer. Among other things, you can see the connected device type, serial number, 
last connected timestamp, and the number of times the device was connected (for iOS devices]. 


To see previously connected devices, on the toolbar click Actionable Intel, then in the menu on 
the left, click Device Connections. 


Q, Insights Q, Correlation ES 
O Device Backups (2) | | | Product Name ^ Serial Number Last Connected Date UserName Use Count e 
J£ Device Connections (39) 
= Q Account Usage (74) o (08606E6D40B6B06118181BA4 ^ — 2020-05-01 19:08:19 (UTC) Unknown 1 
@ Á Downloads (257) [1] 001CCOC6117CBCB1B3190248  — 2020-04-29 17:37:58 (UTC) Unknown 1 
Œ (f$ File Knowledge (559) ri) 001CCOC6117CBCB1B3190248 ^ — 2020-04-29 17:49:06 (UTC) Unknown 1 
E # Passwords (284) o /08606E6D40B6B061181818A4 2020-05-19 21:29:22 (UTC) Unknown 1 
E 4$ Program Execution (0) o 080909522c225a 2020-05-19 21:37:27 (UTC) Unknown 1 
E Q Search (33) 
(4)  CBM2080/ CBM2090 Flash drive c.. 08152300405A7CO0 2020-04-30 20:25:07 (UTC) Unknown 1 
@® Internal Memory Card Reader 000000000310. 2020-04-27 21:37:39 (UTC) Unknown 1 
@ Internal Memory Card Reader 000000000310 2020-05-08 20:44:11 (UTC) Unknown 1 
| @® Internal Memory Card Reader 000000000310 2020-05-20 22:28:02 (UTC) Unknown 1 
@ Internal Memory Card Reader 000000000310 2020-05-01 19:22:27 (UTC) Unknown 1 
| @ Internal Memory Card Reader 000000000310. 2020-04-29 17:35:06 (UTC) Unknown 1 
[ @ Internal Memory Card Reader 000000000310. 2020-05-10 04:43:52 (UTC) Unknown 1 
@ iad DLXFKECYDFHW 2015-04-14 14:13:46 (UTC) josh 7 
@ Phone DNPJHMKUDTTQ 2016-07-14 16:14:07 (UTC) Unknown 2 
@ iPhone FIFNDWU2GSMG 2018-08-20 14:55:06 (UTC) Unknown 20 
@ Phone FD2VC3L9ICM2 2020-05-20 22:45:12 (UTC) Unknown 3 
@® Phone 86935LQ53NP 2011-07-05 16:54:13 (UTC) Unknown T 
@ Phone CEKVKLUXICEN 2020-01-10 20:40:01 (UTC) Unknown 9 
| @ iPhone 5K92045KY7K 2011-05-20 21:55:50 (UTC) Unknown 2 
@ iPhone DNPJHPHJDTTQ 2016-10-26 13:43:54 (UTC) Unknown 2 
@ iPhone FDMQ61LTGSMG 2019-02-25 14:45:09 (UTC) Unknown 2 
@ Phone DNVNGTLOGSMC 2019-02-26 14:09:39 (UTC) Unknown 6 
@ Phone DNVNGTLOGSMC 2019-02-26 14:09:39 (UTC) josh 6 
@ Phone 8811659CDZZ 2012-10-21 14:41:19 (UTC) josh n 
COND Ar MD me ans nr 505 rr ri — 1 


Account Usage 


In Actionable Intel, Account Usage offers views of cellular usage, top contacts, and user 
accounts. 


Cellular Usage 


This applies to both iPhone and Android devices; Android depends on device and version. 


You can see the parsed contents of this database showing the Subscriber ID, phone number and 
last update time. 


Users of iOS devices can switch SIM cards. Additionally, newer iOS devices are equipped with 
eSIM capability making it possible for users to store multiple eSIM accounts on a single device. 
This data is stored in /Library/Databases/CellularUsage.db. 
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On the toolbar click Actionable Intel, then in the menu on the left, click Cellular Usage under 
Account Usage 


Actionable Intel. Co 
Q Insights. OQ, Correlation 
[ Device Backups (2) E Subscriber Id Subscriber Mdn ^ Last Update Time Slot Id 
A Davies Connactions (471 © 89014104277318811704 2404946399 2020-01-10 19:04:24 (UTC) 1 
Y ® Account Usage (198) = zn 2 = 01s TEES) 
& cliuiar Usage (3) © G9014103255418433851 ^ 4083340589 2018-12-12 15:08:29 (UTC) 1 
Q Top Contacts (135) © 8914900010053792101 6475639559 2018-12-12 18:36:26 (UTC) 1 


Q User Accounts (60) 
Y d& Downloads (658) 


Top Contacts 


You can see a list of the device's most frequent contacts along with the message and call counts 
for each. 


On the toolbar click Actionable Intel, then in the menu on the left, click Top Contacts under 
Account Usage. 


User Accounts 


You can see user account information for both current and deleted user accounts. 


This includes the current user accounts’ UID, User Name, Full Name, home folder path, and 
password hints, along with deleted user accounts' UID, User Name, Full Name, and date deleted 
information. Timestamps for created, last logon, last password change, last failed logon, and 
logon count may also show in this view. 


On the toolbar click Actionable Intel, then in the menu on the left, click User Accounts under 
Account Usage. 


Q Insights Q, Correlation = 
Device Backups (2) ^S 4 Account Type ‘Account Property User Name Full Name UserID PWHint Password Crea” 
44 Device Connections (39) > 
salami @ Mac Last User. josh 
Q Cellular Usage (0) | Mac User 501 c a 
@ Top Contacts (153) ) Mac User root ‘System Administrator 0 2016 
@ User Accounts (26) DÐ Mac User simon Simon 503 
S d Downloads (257) | Mac User philcook Phil Cook 502 
4 Air Drop (0) | 
peni | D Messages account-info jbennett_mac@me.com 
& GB File Knowledge (559) \ Messages seff-handle jbennett_mac@me.com 
f Lok Files (0) @ Messages account-info jbennett_mac@me.com 
(fà Recent Items (558) @ Messages self-handle jbennett_mac@me.com 
GB Trash Items (1) D Skype jbennett mac@mecom Josh Bennett 
E) M Passwords (284) z r 
# Apple Keychain (284) = 
& 4$ Program Execution (0) SEDES 
4$ BAM DAM (0) 
6B Jump Lists (0) 
4d Last Executed (0) 
ittex Strings “(Preview $ Metadata — Q location — Record Data Fork v 
Key Type Value 
L name Array e 
Item 0 i String josh ] 
Item 1 String BOCEACSBFB3B88062E3E6B6B239839520FEBA5E 7 
Item 2 String jbennett macGme.com. | 
tem 3 String com.apple.idms.appleid.prd.001935-10-32d40149-388¢-4804-b087-70a3#4d2818d IL 
E passwd Array 1 item 
© picture Array 
S realname Array ‘item 
© record daemon version - Array 1 item 
B shell Array liter ¥ 


For User Account entries stored in binary plists, you can select an entry in one column 
(highlighted green). Only data in the highlighted data appears in the lower portion of the Content 
pane. 
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In macOS, account information is also parsed from databases stored in ~/Library/Accounts, 
providing information about the user name and account type. Databases in ~/Library/Accounts 
store information about the user's other accounts including iCloud, social media, email, and 
calendars. This data is parsed and displayed with operating system user accounts. Entries 
stored in the Account databases often contain a binary property list in the database entry. 


To see the data stored in the binary plist, select an entry in the Property Value column. The data 
is highlighted in green. The Preview tab in the File Content view shows the parsed property list. 


insights Correlation = 
Insights Q Corre E 
D Device Backups (2) E: Full Name UserID PW Hint Password Created Date Property Value p 
44 Device Connections (39) 
& Q Account Usage (179) 
@ Cellular Usage (0) Josh Bennett mar m 2016-10-26 14:11:08 (UTC) 
@ Top Contacts (153) System Administrator o E 2018-10-03 18:35:46 (UTC) 
@ User Accounts (26) Simon 503 
S d& Downloads (257) 
@ Air Drop (0) 
& Files (257) A 
& (f File Knowledge (559) Pmescom bplist00OXSversionXSobjects¥SarchiverTStopt ¥USnullO 
(& Lnk Files (0) | ame.com bplist00001XSversionXSobjectsYSarchiverTStopt ©£$%,USnullO 
(fà Recent Items (558) Bme.com bplistOOOXSversionXSobjectsVSarchiverTStopt YUSnullÓ. 
(d Trash Items (1) 
E # Passwords (284) z 
# Apple Keychain (284) — 
E (3 Program Execution (0) Refer to the Preview tab of the File Content Viewer for the parsed Property List. 
4$ BAM DAM (0) 
Jump Lists (0) 
GQ Last Executed (0) 


Phil Cook 502 
Bme.com 


Bmecom Josh Bennett 


BiHex Strings [Preview — $ Metadata @ Location J Record 


Key Type Value 
E Root Dictionary 
B Sarchiver NSMutableDicti.. (4 item 
ApplelD. String jbennett_mac@me.com 
AuthiD String D:1314073491 
SelfHandle. String vurn:ds:1314073491 
Sj VettedAliases NSArray items) 
Gi  Sobjects Array 15 items) 
tem 0 String Snull 
a itemi Dictionary 
Item2 — String — _SelfHandle | 


Downloads 


In Actionable Intel, Downloads offers views of AirDrop and Files. 
AirDrop 


AirDrop is a macOS and iOS feature to transfer files to other nearby Apple devices. Artifacts from 
AirDrop on macOS are stored in multiple locations including Unified Logs and Spotlight. 
Inspector parses AirDrop artifacts from Spotlight, which contains more complete information. 


To see AirDrop artifacts, on the 
toolbar click Actionable Intel, 
then in the menu on the left, 
click Air Drop under 
Downloads. 


60606 


eeeee 


For more information, see 
these topics provided by Apple. 


e = https://support.apple.com/en-us/HT204144 
e = https://support.apple.com/en-us/HT203106 


s$ 
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Files 


Files shows information about recent file downloads. Some or all of this information may be 
shown. 


e source (such as Internet Explorer, Chrome, Safari, or Firefox) 
e file name 

e file path 

e timestamp 

e sender name 

e sender address 

e title 


Web browsers have built-in download managers that keep a history of every file downloaded by a 
user. These browser artifacts can provide excellent information about what sites a user has been 
visiting and what files were downloaded. In addition to browser downloads, Files also includes 
artifacts from Zone./dentifier files in Windows and quarantine files in macOS. 


To see information about recent file downloads, on the toolbar click Actionable Intel, then in the 
menu on the left, click Files under Downloads. 


Q Insights Correlation E 
D Device Backups (2) ^l|* |@ Source - File Name File Path p 
Fb eo Nets) ADSZoneldentifier images (1 /Users/josh/Documents/Fil 
E @ Account Usage (191) - odote imas Hon i = 
Q Cellular Usage (0 | €) ADSZoneldentifier images 2)jpg /Users/josh/Documents/Fil 
@ Top Contacts (153) 
@ User Accounts (38) @ ADSZoneldentiier ^ mmgRIbzOnRpAPKGFHSCwCw jpg /sers/josh/Documents/Fi 
= Erei @ ADSZoneldentifier  mVNWOyyb1ddEjZadNydcyvQjpg /Users/josh/Documents/Fil 
'op " 
@  ADSZoneldentifier M BadgeJPG /Users/josh/Documents/Fil 
& Files (377) 
B ADSZoneldentifie — logo3, /lsers/josh/Documents/lo 
& (fi File Knowledge (1,859) i png /j 
GB Lok Files (1,064) (9 ADSZoneldentfier — 1310417891753642023 jpg /Users/josh/Downloads/11 
(fà Recent Items (790) (9) ADSZoneldentifier — 1425 1925917 01 webjpg. /Users/josh/Downloads/14 
G Trash Items (5) ADSZoneldentifier — BMW-M2-STRIPESjpg /Users/josh/Downloads/B! 
a 
Ej Af. Passwords (284) 
: (9 ADSZoneldentifie ^ edb00003log Users/josh/MicrosoftEdge 
A Apple Keychain (284) 
E 64 Program Execution (22,075; @ ADSZoneldentifier — schemata /Users/josh/MicrosoftEdge 
£$ BAM DAM (46) (9 ADSZoneldentifier  spartan.edb /sers/josh/MicrosoftEdge 
43 Jump Lists (62) (9 ADSZoneldentifier spartan.pat fUsers/josh/MicrosoftEdge 
£i Last Brecuted 0) |m B 
BiHex Strings [Preview $ Metadata @ Location $, Record Data Fork. xd 
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In Actionable Intel, File Knowledge offers views of Link Files, Recent Items, and Trash Items. 


Link Files 


On Windows systems, link [.lnk] files may be created by the operating system during routine 
operation or be deliberately created by a user. To see Windows link files, on the toolbar click 
Actionable Intel. In the menu on the left, click Link Files under File Knowledge. Metadata for 
selected link files includes link attribute, link target information, and target system information. 
To see this metadata in the File Content view, click Preview. In this view, you can tag individual 
rows for reporting purposes. 


Recent Items 


Q, Insights 


Q Correlation = 


Q Top Contacts (239) 
Q User Accounts (134) 
© a Downloads (1,453) 
f Air Drop (104) 
& Files (1,349) 
& (fd File Knowledge (3,932) 
fà Lnk Files (476) 
G Recent Items (3,444) 
(R Trash Items (12) 
© # Passwords (1,420) 
# Apple Keychain (1,420) 
© 43 Program Execution (7,022) 
4$ BAM DAM Q2) 
3 Jump Lists (31) 
GQ Last Executed (1) 
68 MUI Cache (248) 
63 Notifications (38) 
63 Prefetch (247) 
63 Recent Apps (13) 


File Name 


JEMemDump.dmp.Ink 
JEMem dmp.nk 
JB.dmp.lnk 


000e 


2016-bmw-m2-04-1.Ink 
2016-bmw-m2-01-1.Ink 
11310417891753642023.Ink. 


File History.Ink 
Elink 
D.Ink. 
BMW-M2-STRIPES.Ink- 
Bennett-Mem.dmp.Ink 


0000000000 


All Tasks.Ink 
< 


BEiHex Æ Strings [Preview — $ Metadata — Q Location — Record 


Property 

C. Link Target Information 
Link Target 
Type 
Link Flags 
Target File Size 
Target Path 

©) Link Attributes 
Source File Name 
LNK Data Size 
Icon Index 
Show Command 

=) Target System Information 
Drive Type 
Drive Serial 
Volume Label 


Local Base Path 


Value 


2017-porsche-boxster-facelift-revealed-in-latest-spyshots-has-caye 
| Archive 

| HasLinkTargetiDList, HasLinkinfo, HasWorkingDir, IsUnicode, Disabl 
ID 
_DA2017-porsche-borster-facelft-revesled-in-latest-spyshots-has-c 


"2017 porsche-boxster-facelft-revealed-in-latest-spyshots-has-caye 
(es 

D 

| SW_SHOWNORMAL 


DRIVE REMOVABLE 

| CIAT-T0FE 

| SECRET 

| DA2017-porsche-boaster-facelift-revealed-in-latest-spyshots-has-c 
> 


Lnk Target 
JBMemDump.dmp 
JBMem.dmp 

JB.dmp 


2017-por: 


2016-bmw-m2-04-1jpg 
2016-bmw-m2-01-1jpg 
11310417891753642023 jpg 
File History 

EA 

DA 

BMW-M2-STRIPES.jpg 
Bennett-Mem.dmp 
Control Panel (All Tasks) 


Data Fork x 


Type Value (Little Endian) 


UTF-16 


E Date/Time 


Chrome 
Cocoa/Webkit. 
Cocoa Nanoseconds 
DOS 

FILETIME 

Firefox 

dava 

OLE 

osx 


Unix 


E Integer 


v 


Little Endian v 


(1 of 476) - /BOOTCAMP/Users/josh/AppData/Roaming/Microsoft/Windows/Recent/2017-porsche-boxster-facelift-revealed-in-latest-spyshots-has-cayenne-like-taillight-graphics_26.Ink 


To see recent items, on the toolbar click Actionable Intel. In the menu on the left, click Recent 
Items under File Knowledge. The Recent Items view shows information from both macOS and 
Windows systems. 
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@ Top Contacts (239) 
@ User Accounts (134) 
Ei d& Downloads (1,453) 
@ Air Drop (104) 
ds Files (1,349) 
& @ File Knowledge (3,932) 
B Lok Files (476) 
f) Recent Items (3,444) 
B Trash Items (12) 
E # Passwords (1,420) 
# Apple Keychain (1,420) 
E 4$ Program Execution (7,022) 
£3 BAM DAM Q2) 
£4 Jump Lists (31) 
43 Last Executed (1) 
63 MUI Cache (248) 
3 Notifications (38) 
3 Prefetch (247) 
£3 Recent Apps (13) 


Q Insights 
* © User - Type label 
@ josh Folder 
@ josh Documents 
@ josh Documents 
@ josh Folder 


Correlation 


"n 


Item Name. 
ADSF fiLES 
MPNG 

Capture. PNG 
D@NGER (D 


@ josh Documents 
i| 9 Documents 
@ josh Documents 
@ josh Folder 
@ josh Folder 
@ josh Documents 
@ josh Folder 
@ josh Documents 
@ josh Documents 


bmw. 58603 jpg. 
Picl.PNG 
FatManOnCamel.máv 


Documents 
Special 
auction.csv 

DA 
C-Headlightjpg 
sport.PNG 
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For Windows systems, Recent Items are parsed from information stored in the NTUSER.DAT 
registry files, for example, \Software\Micros0oft\Windows\CurrentVersion\Explorer\RecentDocs\. 


For macOS systems, data is parsed from many locations. 


Description Locations 


Folders ~/Library/Preferences/com.apple.finder.plist 


/Library/Preferences/.GlobalPreferences.plist 


Shared File Lists ~/Library/Applications 

(Documents, Files, Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.<MRU Type>.sfl 
Applications, ~/Library/Applications 

Hosts/Servers, Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.<MRU Type>.slf2 


Volumes, etc.] 


Microsoft Office ~/Library/Preferences/com.microsoft.plist 


~/Library/Containers/com.microsoft.<Office App 
Name»/Data/Library/Preferences/com.microsoft.«Office App 
Name».securebookmarks.plist 


Volumes ~/Library/Preferences/com.apple.finder.plist 
~/Library/Preferences/com.apple.sidebars. plist 


/private/var/root/Library/Preferences/com.apple.sidebars.plist 


Files /.Spotlight-V100/Store-V2/«UUID»/.store.db 
/private/var/db/Spotlight-V100/BootVolume/Store-V2/«UUID»/.store.db 


The Type column and the Status Bar both show where the information is parsed from. 


Q, Insights Q, Correlation = 
P: ER maces an - aS User = | Type label Item Name A 
levice Connections (177 
2 i x//ftp dell. 
ii Acca lese CS) @ josh Shared File List Favorite Servers ftp://ftp.dell.com 
Q Cellular Usage (0) @ josh Shared File List 2 Recent Servers LockZone 
@ Top Contacts (239) € josh Shared File List 2 Recent Documents ^ bobbyR.xt 
@ User Accounts (134) € josh Shared File List 2 Recent Documents — Finances.ttfd 
gi josh Shared File List 2 Recent Documents  goodintel.pn 
4 ro loads (1,515) e z 
Air Drop (104) 
"RT ji » 6 josh Shared File List 2 Recent Documents — goplacetogo.png 
& (i File Knowledge (5522) @ josh Shared File List 2 Recent Documents Area27.trt 
Link Files (1,525) @ josh Recent Documents — Porsche-Partspages 
(fd Recent Items (3,985) \ @ josh Shared File List 2 Recent Documents Porsche-Parts,doc 
ry Wasted 6 josh Shared File List 2 Recent Documents  Balsalm.png 
&i # Passwords (1,420) 
red Fi liedP: 
Apple Keychain (1400) @ josh Shared File List 2 Recent Documents AlliedParts.rtf 
& £d Program Execution (7,084) @ josh Shared File List 2 Recent Documents ^ gonejpeg 
43 BAM DAM (22) € josh Shared File List 2 script Porsche-Parts.doc 
4$ Jump Lists (93) & josh Shared File List 2 script BMW. Info.JPG 
Eie Econ @ josh | Shared Fie List2 script data export 2019-10-09.csv 
MUI Cache (248) " 
(Aneto Gi] @ josh Shared File List 2 script recordxis 
* S _iosh scriot auction csv 
&P crum » zl 
Data interpreter v [Data Fork v 
Type Value (Little Endian) 
E String ^ 
1 UTF-8 
p 5 
&7;ABCOPQ]^ kimy |V hai Y 
Sector Offset: 0x0 (0). Position: 0x0 (0) litleEndin v 
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The Recent Items view shows these columns in addition to the default Tagged State and 


Evidence ID. 

e User 

e Type 

e Label 

e |tem Name 
e Path 

e Mount Path 
e Date 


e Index Value 


The User column is based on the path the data is parsed from. Recent Items parsed from a 
directory in /Users/<user name» show «user name> in the User column. Recent Items parsed 
from files in /private/var/root show root in the User column. The User column is blank for data 
parsed from the Spotlight index. The file path is used to populate the User column. 


Some columns are not used for all Recent Items parsed. For example, data parsed from shared 
file lists use the Label and Index Value columns to provide information about: 


e Which LSSharedFileList the data was parsed from 
(Label is a portion of the file name of the .slf or .slf2 file) 
e Which item number under $archiver the entry was parsed from 
(Index Value is the Item number for the entry under Root/$archiver/items/). 


amsor 175038 UTE) 
2015-0814 281733 (UTE) 
208 6721 183040 (UTC) 


s 
1 
amran 182035 (uic) 
shen 2-24 175819 UT) 5 
2017-09-08 (65259 (UTE) 4 
m-appie-CloudDocs/bobyRibt 2015-0612 122307 (UTE) 3 
"———— asuna (UTE) 2 
Urbani 133428 (UTE) D 
2s 174030 (UTE) D 
p . 
284743 1747138 UTE) e 


“Cloudbocs/goodintek png 2020-016 165742 (UTE) 
— — 08742 192552 (UTC) 
2015-0612 122307 UTE) 
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The same principle is used for other data parsed from plist files, but instead of the Label 
column, the Type column is used. The Type column, generated by Inspector, can be a 
combination of the plist filename and plist entry. For example, data is parsed from both 
/Root/favorites and /Root/systemitems in com.apple.sidebarlists.plist. Entries parsed will be labeled 
as Sidebar Favorites or Sidebar System Items, depending on the plist entry it is parsed from. 


Q Cellular Usage (0) — ^ 
Q Top Contacts (48) = 
@ User Accounts (26) = — E S us 
| dà Downloads 257 Sidebar System Items Network racer/Network , (UT) 
@ Air Drop (0) @ root Sidebar System Items Tech Crimes Tech Crimes/ 2011-06-08 17:5625 (UTC) EI 
d& Files (257) @ root Sidebar System Items Mac OSX Install ESD Mac OSX Install ESD/ 2012-02-11 04:06:52 (UTC) "n 
B @ File Knowledge (559) @ root Sidebar System Items Lion Lion/ 2011-08-07 19:35:35 (UTC) 10 
5 Pan a @ root Sidebar System Items Memory Memory/ 2012-07-15 17:13:18 (UTC) 9 
BB Fash tems (1) | @ root Sidebar System tems untitles untitles/ 2012-01-29 15:0458 (UTC) 8 
© A Passwords (284) (P root Sidebar System Items Racer Racer/ 2012-07-05 175632 (UTC) 7 
4f Apple Keychain (284) @ wot — deberem lens BET Tester BET Tester] 2012-07-15 17:13:14 (UTC) 6 
]& 62 Program Execution (0) €» toot Sidebar System Items MacQuisition (10.6.7) MacQuisition (10.6.7)/ 2011-04-28 03:12:14 (UTC) 5 
a pups ^j @ root Sidebar System Items MacQuisition (10.58) ^ MacQuisition (10.58) 2009-09-09 20:37:08 (UTC) 4 
das Ececuted t) @ root Sidebar System Items MaDate MaDeta/ 2012-01-20 17:18:37 (UTC) 3 
68 MUI Cache (0) @ root Sidebar System Items Application Application/ 2012-01-18 05:41:50 (UTC) 2 
3 Notifications (0) @ root Sidebar System Items racer racer/ 2009-09-14 22:45:24 (UTC) 1 
&3 Prefetch (0) V Q rot Sidebar Favorites Applications. racer/Applications 2011-05-24 17:48:14 (UTC) 7 |. 
BiHex  EStings [Preview Metadata — 9 Location Record Data Fork — v 
| Key mE Value Type Value (Lit... 
5 Root Dictionary d iten ^| | Sting ^ 
| = = = 
Controller Volumestist UTF-t6 Ld 
S) CustomlistProperties — it S Date/Time 
ShowEjectables D Chrome 
E ShowHardDisks sites ë e || CocosMebkit 
| ShowRemovable T Cocos Nanosecon ds 
| ShowServers Boolean Dos n/a (7) 
[E Wolumestit m FILETIME 
| | Dictionary Firefox 
| Alias Data Java v 
j< LittleEndian ~ 
(1 of 110) - Filtered - /Racer- Data/Users/josh/Library/Preferencesfcom apple sidebariss plist | 


The Type for data parsed from Microsoft securebookmarks plists is based on the name of the 
plist. 


Trash Items 


Choosing Trash Items in the File Knowledge sub-view menu reveals items in stored in the . Trash 
folders for macOS and Recycle Bin folders for Windows. Since the Windows Recycle Bin 
maintains more information about files, some columns listed in this view pertain to Windows 
Recycle Bin records only (Trash Name and Deleted Date). 


& Cellular Usage (0) Ally 1e [usc File Name 
@ Top Contacts (48) m 

Q User Accounts (26) 
© & Downloads (257) 

® Air Drop (0) 


TrashName Original Path Deleted Date Size 
Trashes/50} 


& Files (257) 
& (f File Knowledge (559) 
GB Lok Files (0) 

Recent items (558) 

GB Tash items (1) | 
Ei 4f Passwords (284) 

# Apple Keychain (284) 
& 63 Program Execution (0) 

£3 BAM DAM (9) 

63 Jump Lists (0) 

63 Last Executed (0) 

£8 MUI Cache (0) 

68 Notifications (0) 

63 Prefetch (0) 
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Passwords 


In Actionable Intel, Passwords offers a view of parsed Apple Keychain data from macOS and 105. 
Keychains are processed during initial evidence ingestion. Inspector identifies these by file 
extension (.keychain or .keychain-db). In macOS, there is a system keychain as well as user 
keychains. The system keychains typically store Wi-Fi passwords and Time Machine passwords. 
Users’ login keychains can contain a variety of data and are typically unlocked with the user's 
login passwords. 


While passwords are needed to unlock some keychain data, without any passwords Inspector 
parses all of the information stored in the System keychain and all data except the Value stored 
in locked user login keychains. 


This image shows system keychain data with no password. 


Q insights Q Correlation E: 


value Description Comment ^ Creation Date  Modificatio 
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novass 2012-01-01 17:43:29 (UTC) — 2012-01-01 


Strings El Proview — S Metadata — Location dh Record 2 


booty61*Siva Type Value (Little Endlan) 


tie endian B 
(101 284) - /Racer - Data/Library/Keychains/System.keychain. 
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This image shows user login keychain data with no password. 


Q sighs Q Correlation E 


D Device Backups (6 © © name Vaive Description Comment ~ creation Date Modifica g 
3) 


© appie Persistent State Encryption Used by the persistent state... 2012-01-02 02:21:47 (UTC) 2020-05- 
Used by the persistent state 1. 2012-01-02 02:21:47 (UTC) 2020-05- 


@ wwwtacobook.com (bannet mac@me.com) Web form password Getauit 
© sitecedook.com 
©  MSNjbennett mac@hotmail.com 
© Adium. 
© Facebook jbennett maceme.com 
E © Gta joshdennettcar@gmail com 
B hoole in (862) © _comapple account idms.token 
S Program Execution (7,022) © BackupiDSAccountToken: joennett mac@icloud.com-AuthTok.. 2016-07-05 20:05:01 (UTC) 2016-07-€ 
BAM DAM (22) 201 2:23 (UTC) 2016-10-2 
43 Jumo Lists (31) 
£3 Last Executed (1) 
63 MUI Cache (248) 
63 Notifications (38) 
63 Prefetch (247) 
63 Recent Apps (13) 
3 ShimCache (533) = 
G3 Superteteh (0) 
63 User Assist (167) 
1134) 


If no passwords are entered at initial evidence ingestion, Inspector will process and display only 
the data accessible without a password. If passwords are discovered later, you can either 
reprocess the entire case or export the keychain files from the case and reprocess only the 
keychain files. 


Some rules to know before adding passwords: 


e Passwords are tried in the order they are entered. In the Passwords window, they are shown 
in alphabetical order. 

e Passwords must be UTF-8 encoded. An error message will be displayed for non-UTF-8 
encoded passwords. 

e A password list can be imported. The list must be UTF-8 encoded with one password per 
line. 

e Long password lists can take significant time to run. For example, 14 million passwords take 
roughly 4 hours per keychain file. 

e When manually entering passwords, leading and trailing spaces will be truncated. 


As Inspector processes keychain files, once a password successfully unlocks the data, no further 
passwords are attempted for that keychain. 
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Viewing Keychain Data 


With a Keychain entry selected in the Content pane, click Preview in the File Content view. The 
contents of the Value column are displayed. For keychains storing property list data in the Value 
field, when the Value field is highlighted in the Content pane and the Preview tab, the property 
list is parsed in the Preview tab. 


Q insights Q, Correlation. E 


© © Name Value. 
bpistO0699 00 0 0 0 XSvoriontScbisctórtarchorTétope9 90000000 PUSI 0000 0 wNS koy 
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bpisi06699000 00 005709500: 
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Y di Downloads (327) 
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Y f Passwords (284) 
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4$ MUI Cache (248) 
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Preteen (247) 
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Tagging and Reporting Keychain Data 


Data from Apple Keychains can be tagged for inclusion in the examination report. In the report, 
only columns containing data will be shown, so if a Keychain is locked and the Value cannot be 
parsed for the entry, it will not be shown in the report. Similarly, if there is no data in the 
Description column it will not be shown in the report. 


i7 Cellebrite pees 


Digtal Forensics Resort 
Tag: Keychain (1-4 of 4) 
Report Date: 3/25/2027 
TS eT Insights Apple Keychain 


Source Device | Bennett-Computer-200820.E01/Racer - Data. 


Bh Cover Page " Path | /Users/josh/Library/Keychains/login.keychain-db_ 
ERE 
2 Name | Josh's AirPort Time Capsule. 
Eie [dpa 
Y C Bl Ford_iveexport.ive Description | AirPort Disk password 
© Fora ivetaport.ivx 
E gennet- juter-200520 Creation Date | 2017-11-14 14:23:38 (UTC) 


Modification Date | 2017-11-14 14:33:29 (UTC) 


Blu oor Account | Josh Bennett 
v Evdonee Tags 

cals a File Name | login keychain-db 

Spotight a 
F Keychain. ca ‘Source File | /Users/josh/Library/Keychains/login.keychain-db_ 

Insights Apple Keychain 

= ena Source Device | Bennett-Computer-200520.E01/Racer - Data 

vna | 
T Phone Numbers. Path | /Users/josh/Library/Keychains/login.keychain-db 

RECO22 Headers 

Ton P Name | Things.dmg 

IP Address Value | Porsche986- 

Dare 


Reereintinn | diel imana netur " 
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Actionable Intel View 


Program Execution 


In Actionable Intel, Program Execution offers a view of evidence of applications that have been 
launched by a user. This sub-view is specific to Windows. The artifacts in this table are parsed in 
the Program Execution sub-view menu. 


Artifact 


Background Activity 
Moderator (BAM) and 
Desktop Activity 
Moderator (DAM] 


Information stored in the Windows registry (Windows 10) that tracks 
executables run by each user on the system. BAM controls activity of 
background applications. DAM was created to ensure consistent long battery 
life. DAM information is stored only on tablets and mobile devices. Each 
BAM/DAM entry provides insights into the applications run by the user 
identified in the SID column entry. 


Jump Lists 


Jumplists are created by the operating system (Windows 7 and above) based 
on user actions. They give the user quick access to recently accessed 
application files and actions. 


Last Executed 


Multilingual User 
Interface (MUI) Cache 


This shows the specific executable used by an application to open the files 
documented in the OpenSaveMRU key. In addition, each value also tracks the 
directory location for the last file that was accessed by that application. 


Each time a new application is started on Windows system, the application 
name and a description are stored in a registry key. 


Notifications 


A history of notifications sent to users. 


Prefetch 


Prefetching was introduced with Windows XP to minimize seek times on hard 
disks by loading into memory certain data that is needed for booting and 
launching applications. In this sub-view, Inspector lists the application 
filenames in the top of the Content pane (along with run counts and times) and 
associated DLL (Dynamic Link Library) files in the bottom of the Content pane. 
Filters can be applied to the data contained in the top of the Content pane by 
selecting the Show Filter button and applying the desired filter parameters. 


Recent Apps 


ShimCache 


Data stored in NTUSER.dat, recording information about applications recently 
used and the files accessed by the apps. 


A mechanism in Windows to support older apps on new version of Windows. 
Provides information about executables. 


Superfetch 


Introduced with Windows Vista, stores launch times and preloads applications 
into memory based on a given user's previous usage patterns. Inspector 
displays the volume name, entry name, and run time for each item. 
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User Assist This shows applications the user has launched, and the data is parsed from 
NTUSER.DAT. Information can be used to determine: frequency of program 
execution for each user account, last time a program was launched, where the 
program was launched from, information about programs that have been 
deleted or uninstalled from the system, and proof of the existence of data in a 
location that is no longer available. 


Windows Activity Tracks user Activities, e.g. website accesses, program executions, files 
Timeline accessed by programs, and when particular apps were in focus. 
AmCache Stores metadata about ShimCache executables that have been run, program 


installed, and devices connected. 


ComDlg32 Tracks when the user used the Open/Save dialog box to open or save a file. 


System Resource Usage | Monitors desktop applications, services, windows apps, and network 
Monitor (SRUM] connections. SRUM data is stored in the Windows registry, with historic 
information contained in a database. Some information tracked includes: 
network connectivity, network data usage, application resource usage, 
Windows push notification, and energy use. 


To see any of these artifacts, on the toolbar click Actionable Intel. In the menu on the left, click 
the appropriate artifact category under Program Execution. For some artifacts, additional 
information is parsed by Inspector; the Content pane splits to show additional data. The most 
complex is Jump Lists. 


Select the jump list that was 
created for a particular 
application. For that jump list, 
the bottom portion of the 
Content pane shows Link 
Targets, Type, Drive Type, 
Target Path, Target Date 
Accessed, Target Date Created, 
and Target Date Written. 


Target t 
2019-11 
2019-11 
2018-1 
10.30.05 AM png 2018-0; 
2016-0; 


2013-0 


Einex strings Proview — S Metadata Location d Record © paure B 


Property Value Type Value (Little Endian} 


Select an item in the bottom ee 
portion of the Content pane. In . 
the File Content view, click 
Preview to see information 
relating to the item. 


Information can betaggedíor — ERES EE a a: 
reporting purposes from 

individual rows shown in the 

File Content view. Additionally, you can use Find in the Content pane. 
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Search 


In Actionable Intel, Search offers a view of parsed search data from macOS and Windows. 


In macOS, Apple Spotlight Shortcuts are parsed and displayed. When a user on a Mac computer 
presses CMD+SPACEBAR, Spotlight Search appears. 


Q Spotlight S 


As the user begins typing, Spotlight provides recommendations based on the characters typed. 
The user can choose a suggestion before they have finished typing the entire word or string. That 
information is stored in 

-/Library/Application Support/com.apple.spotlight/com.apple.spotlight.Shortcuts. Parsed data 
shows this information. 


e the user account the data was parsed from (User) 

e what the user typed [Typed] 

e what Spotlight displayed for the item the user selected (Display Name] 

e the Last Used timestamp 

e the location of the selected item such as the path for apps, path for files, URLs for websites, 
and more (URL) 

e the file the data was parsed from (Source) 


To see searched items from a Mac computer, in the toolbar click Actionable Intel, then in the 
menu on the left, click Apple Spotlight Shortcuts under Search. 


Q Insights Q, Correlation + 
62 Open Save PidI MRU (2 — = Typed Display Name Last Used URL Source 
* 63 SRUM (12,922) 
ETARTE fire Firefox.app 2018-12-14 13:58:44 (UTC) — /Applications/Firefox.app. JUsersfjosh[Li 
63 App Timeline Provider ( graham — graham-shop.jpg 2017-08-04 13:37:47 (UTC) /Users/josh/Dropbox/graham-shop.Jpg JUsers/josh/Li 
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68 Activity Package ID (89 lib LibreOffice.app 2020-05-19 21:06:10 (UTC)  /Applications/LibreOffice.app. JUsers/iosh/Li 
Y Q Search (35) Pages  Pages.app 2020-05-19 21:24:08 (UTC) /Applications/Pages.app. JUsersfjoshjti 
Q, Apple Spotlight Shortcuts E racer — RacerParts-2 png 2017-08-13 17:36:47 (UTC) — /Users[josh/Library/Containers/com.apple.mail/Data/Library/M... /Users[josh/Li 
Q, Windows Explorer (1) 
EiHex  Eistings Proview — $ Metadata — 9 Location A Record © Data Fork 
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Y String 


UTF-8 gopla 


Dictionary 
UTF-16 
Y Date/Time 
Chrome 
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Cocoa Nanoseconds 
Dos na (222) 
FILETIME 
Firefox 
7 graham “Dictionary em Little Enctan Bj 
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To see searched items from a Windows computer, in the toolbar click Actionable Intel, then in 
the menu on the left, click Windows Explorer under Search. 
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For Windows, Windows Explorer search artifacts are parsed and displayed. In Windows 7 and 
Windows 10, this data is stored in NTUSER.dat in the WordWheelQuery key. 


Q insights Q, Correlation £ 
68 Open Save Pidi MRU (2  % | @ Last Write Value ^ UserName Key Path 
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Activity Correlation 


The Correlation view in Actionable Intel makes it easy to see the story of an entity's activity. 


You can easily see, filter, and pivot on all correlated events, whether they were done by a user or 
by the system. There are three types of entities: System, User, and Device. These entities are 
listed in the left column of the Correlation view and can be enabled or disabled as necessary. 
The number of correlated events is shown in parenthesis after each entity's name. 


You can run the Correlation engine during initial ingestion or afterward by selecting Correlation 
from the Evidence Status view. 
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Each entity can have one or many events associated with it. Each entity also has its own 
attributes, which you can see by double-clicking the entity or pressing SPACEBAR. This lets you 
quickly see attributes like when an operating system was installed, the specific version, the 
registered owner, and more. 


Range| 5/ 1/200 «|| 5/20/202 ~] (S. 1SEvents Event Attributes: 
© El @ Systems (1) ^le nme I Event Type ____ | Description Type Name 
© MacOS (1) [pee x MessagePartcipants ^ participa 
BO gue 
D1@ ves 49 Name Value 
O @ nobody (0) ProductVersion 10146 
iOSSupportVersion. 1231 
daemon 
Diaken ProductBuildVersion 
O @ Guest (0) ProductCopyright 1983-2019 Apple Inc. = 2: 
ProductName Mac OSX 
O @ Shared (0) ProductUserVisibleVersion 30148 Event Arias 
@ josh (621) RetriesUntilHint 3 L 
Derm GuestEnabled true me 
O @ mec) Optimizer astRunForSystem. 168756224 ered 
autoLoginUser Josh j 
O @ simon (1) tle ne. pe 
C] @ philcook (1) OptimizerLastRunForBuild. 40117216. 
Accountinf [AllLoginsimapljosh:t] MaximumUsers:t OnConsol hs 
CI @ Graham citsog | Aecountnfo Cuin Rog |] Maxi 1 OnConsolemapljosh:1]] 
O @ (7 70-2780 3) 
w 
= bd RON: B 201-1-072324:2 (U. 
(802) 524-1522 (1) 
O @ 1410100001 0) E 
TRE B z HE Lu 


EiHex FStrings | v 


The middle pane of the Correlation view shows a list of all the events, and includes the time of 
each event, the owner of each event, the type of event, and a full description. This list can be 
shortened by deselecting any of the entities in the list. It is also possible to filter these events 
based on time and date. This will only show events between the selected dates. 


Range| 5/ 1/200 ~ || 5/20/202]-] |. |n Events 
@ Time a May 2020 d Description 
.33 Sun Mon Tue Wed Thu Fri Sat | _..... 
@ 2016-05-25 13:47:33 26 27 28 29 30 1 2 kijiji.ca 
@ 2016-05-25 19:49:07 3 4 5 6 7 8 9 (408) 250-0495, (408) 477-5766, Evan Winch, Self, Taz Zillin, jbenneti 
@ 2016-06-05 23:46:28 ü D s 22 bs 5 ^ Self, donniea01 @aol.com, jbennett mac me.com 
@® 2016-06-17 14:59:23 eid E E: d E r E t — Self, donniea01Gaol.com, jbennett_mac@me.com 
@ 2016-06-23 12:19:41 (J Today: 3/11/2021 Self, jbennett_mac@me.com, macexamimer@icloud.com 
& 2016-07-14 16:14:07 (UTC) josh, iPhone: D... Devicelnserted © DNPJHMKUDTTO 
@® 2016-10-13 01:47:26 (UTC) Graham Gibson... MessageEvent ^ MessageSent Yo what are you up to l 
4 2016-10-13 01:47:59 (UTC) (408) 250-0495/... MessageEvent MessageSent Hey where are you? 
(€ 2016-10-26 08:11:08 (UTC) josh UserAccountCr.. creationTime 
€» 2016-10-26 13:43:54 (UTC) josh, iPhone: D... Devicelnserted DNPJHPHJDTTQ 
@ 2016-10-30 19:11:28 (UTC) (408) 250-0495/... MessageEvent (408) 250-0495, Taz Zillin 
@ 2016-10-30 19:53:55 (UTC) (408) 250-0495/... MessageEvent (408) 250-0495, Taz Zillin 
@ 2016-10-30 21:12:57 (UTC) (408) 250-0495/... MessageEvent (408) 250-0495, Taz Zillin 
€ 2016-11-09 13:56:50 (UTC) (408) 250-0495/... MessageEvent (408) 250-0495, Taz Zillin 
a anz oas na nnaranares o + P . E E IEA 
< > 
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You can search on keywords, which are then highlighted in the event list. The scrollbar marks 
where the keywords exist in the list so you can quickly scroll to the marks to see each instance 
of the highlighted keyword. 


Range| 5/ 1/200 «|| 5/20/202 ~| |Ì gibby 781 Events 
(5 D) Systems (1) © Time Owner Event Type Description 
O @ Macos (15) 4) 2016-05-25 13:47:33 (UTC) josh URLAccessed —— kijijica 
© E] @ Users 47) @ 2016-05-25 19:49:07 (UTC) josh, (408)250-.. MessageEvent (408) 250-0495, (408) 477-5766, Evan Winch, Self, Taz Zillin, jbennett 
(a O Bà Devices (39) @ 2016-06-0523:46:28 (UTC) josh, donniea01... Messagetvent Self, donniea01@aol.com, jbennett mac@me.com 
@ 2016-06-17 14:59:23 (UTC) josh, donniea01... MessageEvent Self, donniea01@aol.com, jbennett_mac@me.com 
@® 2016-06-23 12:19:41 (UTC) josh, macexami... MessageEvent Self, jbennett_mac@me.com, macexamimer@icloud.com H 
@ 2016-07-14 16:14:07 (UTC) josh, iPhone: D... Devicelnseted  DNPJHMKUDTTQ 
@ 2016-10-13 01:47:26 (UTC) Graham Gibson... MessageEvent MessageSent Yo what are you up to 
@ 2016-10-1301:47:59 (UTC) (408) 250-0495/... MessageEvent MessageSent Hey where are you? 
4) 2016-10-2608:11:08 (UTC) josh UserAccountCr.. creationTime A 
@ 2016-10-26 13:43:54 (UTC) josh, iPhone: D... Devicelnseted — DNPJHPHJDTTQ i 
@ 2016-10-30 19:11:28 (UTC) (408) 250-0495/... MessageEvent (408) 250-0495, Taz Zillin H 
@ 2016-10-30 19:53:55 (UTC) — (408)250-0495/.. Messagetvent (408) 250-0495, Taz Zillin . 
@ 2016-10-30 21:12:57 (UTC) — (408)250-0495/.. MessageEvent (408) 250-0495, Taz Zillin l 
@ 2016-11-09 13:56:50 (UTC) (408) 250-0495/... MessageEvent (408) 250-0495, Taz Zillin 
|an A ALL uma UE SS " 


In the right side of the Correlation view, you can see Event Attributes and Event Artifacts. Event 
Attributes provides information about the selected event such as its type, its name, and its value, 
for example file path, file name, and so forth. Event Artifacts shows all the artifacts that are 
associated with the selected event. For example, if the file bobbyR.txt was accessed by the user 
Gibby, you can see the path for that file, the user who accessed it, the drive it was on, and in this 
case the Windows jumplist entry that was created for it. 


Event Attributes: 


Type Name Value 
FilePath — TargetPath FAbobbyR.txt 


Event Artifacts: 
Source Type Name Description / Value 
1:31:23 (.. JMPList FileAccessed FAbobbyR.txt 
I FilePath TargetPath FAbobbyR.txt 
UserName UserName Gibby 
FileName TargetName bobbyR.txt 
FileName NormalizedFileName bobbyR.txt 
FileFolder NormalizedFileFolder F: 
< > 


To pivot to the created jumplist so you can view other items, open the context menu on any of the 
items in Event Artifacts and click Reveal > Item in Native View. 
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Plugins View 


The Plugins view provides access to other tools integrated into Inspector. At this time, the Plugin 
Manager provides a way to integrate Apple Pattern of Life Lazy Output'er (APOLLO) into 
Inspector. 


To view plugins installed in Inspector, or to update to a newer version of a plugin, click Manage » 
Plugins. The Manage Plugins window shows all installed plugins and the source and version 
number for each. 


e Manage Plugins 
Plugin Version Source 
APOLLO-master 01172019 Sarah Edwards | @iamevitwin | mac4n6.com 


Install... 


In the Manage Plugins window, you can install and remove plugins from Inspector. To install a 
newer version of a plugin, you must first select the plugin and click Remove. 


This chapter provides this topic about the Plugins View. 
e APOLLO Plugin 


APOLLO Plugin 


APOLLO, written by Sarah Edwards, is a python script which runs a series of queries against the 
SQLite databases on iOS devices. APOLLO's power is in the SQL queries, each query designed to 
look at specific iOS data. The queries are categories by function and stored in text files. APOLLO 
aims to easily correlate multiple databases with hundreds of thousands of records in order to 
determine what has happened on the device. For more information, see the series of blog posts 
by Sarah Edwards at https://www.mac4né.com/blog/. 


APOLLO is included in the Inspector installer and will install into these directories. 


e macOS: 
/Users/«username»/Library/Application Support/Cellebrite/Inspector/Plugins/APOLLO-master 
e Windows 10: 
C:\Users\<username>\AppData\Roaming\Cellebrite\Inspector\Plugins\APOLLO-master 
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Get a new version of the APOLLO Plugin 


1. Download a zip archive of the APOLLO modules file from 
https://github.com/mac4n6/APOLLO. 

2. Inthe Mange Plugins window, select the APOLLO plugin and click Remove. 

3. Click Install and select the APOLLO zip archive. 


Use the APOLLO Plugin 


1. Import a macOS or iOS device into Inspector. 
2. Selectthe device in the Component list. 
3. Onthe toolbar, click Plugins. 


The APOLLO queries run, and results are shown in the Content pane. 


The queries in APOLLO are categorized based on what data is queried. Inspector separates 
APOLLO data into each category and displays the results of each query. 


Plugins 


> Interaction (154) rmm ^ nd Bundield —— Oreupld | Activity Type Content Deseription User Activity Required $ 
¥ Knowledge (1734) © 2020-04-27 21:38:25 (UTC) 2020-04-27 21:38:25 (UTC) comapple.mall comapplesmail mallbox io/comappe.mail.mait 
(24) Æ 2020-04-27 21:38:25 (UTC) 2020-04-27 21:38:25 (UTC) com.apple.mail com.apple.mail.mailbox. v1.0/com.apple.mail.mailt. 
Activity Level (62) © 2020-04-27 21:38:25 (UTC) 2020-04-27 21:38:25 (UTC) com.apple.mail com.apple.mail.message v1.0/com.apple.mail.mess 
Activity Level Feedback . © 2020-04-27 21:38:25 (UTC) 2020-04-27 21:38:25 UTC) comapple.mail comapple.mall message \.ojeom.appte.mall mass 
Airplay Prediction (0) € 2020-04-27 21:38:25 (UTC) 2020-04-27 21:38:25 (UTC) com.apple.mail com.apple.mail.message v4.0/com.apple.mail.mess 
App Activity (40) © 2020-04-27 21:38:30 (UTC) 2020-04-27 21:38:30 (UTC) com-apple.mail eomdpglenai meses ViIcom.apple mail mess 
App Activity Calendar (0) © 2020-04-27 21:39:00 (UTC) 2020-04-27 21:39:00 (UTC) com.apple.Safari com.app... google.com/search?client.. v1.0/NSUserActivityTypet 
App Activity Clock (0) C) 2020-04-27 21:98:10 (UTC) 2020-04-27 21:30:10 (UTC) comapple.Sofor com.app shift. comcars/san-francis... VLO/NSUserActivityTypeť 
App Activity Mail (6) "© 2020-04-29 17:54:40 (UTC) 2020-04-29 17:54:40 (UTC) comapple Safari compo. gooule.com/search?client... VLOINSUserActvityTypeE 
App Activity Maps (0) € 2020-04-29 17:54:55 (UTC) 2020-04-29 17:54:55 (UTC) com.apple.Safari com.app... pelicanparts.com/Porsche... v1.0/NSUserActivityTypeE 
App Activity Notes (0) C 2020-04-29 17:55:25 (UTC) 2020-04-29 17:55:25 (UTC) comapple.Safari comapo forumspelicanpartscom[.. Vi.O/NSUserActvityTypet 
App Activity Passbook (0) © 2020-04-2917:55:40 (UTC) 2020-04-29 17:55:40 (UTC) comapple-Safari comapp.. pelcanparts.com/Porsche.. viO/NSUserActivitytypeť 
App Activity Photos (0) © 2020-04-2917:55:55 (UTC) 2020-04-29 17:55:55 (UTC) com.apple.Safari comapp. pelicanpartscomjPorsche.. v1O/NSUserActivityTypeť 
App Activity Safari (29) [i 2020-04-29 17:56:35 (UTC) 2020-04-29 17:56:35 (UTC) com.apple.Safari com.app. pelicanparts.com/catalog/... v1.0/NSUserActivityTypeE 
App Activity Weather (0) C) 2020-04-29 17:56:55 (UTC) 2020-04-29 17:56:55 (UTC) com.apple.Safari com.app... pelicanparts.com/catalog/... v1.0/NSUserActivityTypeE. 
App Infocus (312) © 2020-04-29 17:57:05 (UTC) 2020-04-29 17:57:05 (UTC) com.apple.Safari com.app. pelicanparts.com/catalog/.. vi.0/NSUserActivityTypeE. 
App Install (0) 2000-04-20 17'&&'hn (ITC) 2020-04-20 17:58:00 (ITO) "wi? — wi RUN: F 


To see the query used, view the text files associated with the query stored in the APOLLO-master 
directory. 


Favorites E APOLLO-master > P3 modules * — locationd cachee..lllocationlocal.bxt uu Rinne) 
README.md lodule Metadata; 
E93 BlackBag Dropbox È apoll Jocatlond.cacfise: Dopassharvéet i AUTHOR-Sarah Edwards/ 
spolio.py. locationd cachee...arvestlocation.txt. macán6.com/Giamevitwin — 
Œ Desktop locationd_cachee...cationharvest.txt MODULE-NOTES=Get a listing 
A of applications and 
[Bi Documents locationd_cachee...macelllocation.txt sracetated dare: (spp Dini; 
locationd_cachee...8 wifilocation txt executable name, bundle ID, 
o Downloads locationd cachee...cationharvest.txt. app version, app type and 


deletion date/status). Not 


* Applications locationd cachee...cationharvest.txt really a log per se, but a 
locationd_cachee...onstatehistory.txt Sood beris ju Los 
passione locationd_cachee....nataliehistory.txt lc"Background 405 Service", 
(@ macssp locationd_cachee...pcounthistory.txt 3-105 Native Apps, 4=3rd 
= Party Apps 
@ Network netusage_zliverouteperf.txt 
netusage_zliveusage.txt [Database Metadata] 
netusage zprocess.txt DATABASE-CurrentPower loa. PL 
passes23 wallet passes.txt 
passes23 wallet, transactions.txt powerlog. app. info.txt 


powerlog. accessory connection.txt 
powerlog. airdrop.txt. 
powerlog app. audio,txt 
powerlog. app. deletion.txt. 


Plain Text Document - 2 KB. 


powerlog. app. info.txt. € 
powerlog. app. nowplaying.txt. More. 
powerlog app usage by hour.txt 

li MacSSD > fim Users > T sara > fim Library > IN Applicatic> IB BlackBay > B BlackLig! » B Plugins > B APOLLO- > B modules > ` powerlog.app.info.tt 
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During a forensic analysis, you can tag items of interest. Tagged data can then be included in the 
examiner report. Individually tagged items are stored within tags. Tags are used to organize a 
group of similar or related items. 


This chapter provides these topics about tagging in Inspector. 
e Adding Tags 

e Configure Metadata for Tags 

e Tagging Evidence 

e Tags View 

e Deleting Tags 


Adding Tags 


There are several ways to create tags. 


1. You can create tags in large batches if you have a plan in mind, or you can create tags during 
the course of an examination as you select items of interest. 


e Inthe Component list to the right of TAGS, click Add. 
e |n any Inspector view, select an item of interest, then choose either of these actions. 
o Onthe menu bar, click Tags » Tag «artifact» As, where «artifact» is the type of item 
you selected, and then click New Tag. 
o Open the context menu with that item selected, then click Tag «artifact» As, where 
«artifact» is the type of item you selected, and then click New Tag. 


A new empty tag is created that you can name and describe. 


@ Tag Properties = 


Tag Name: | kso? | [7] Export Files With Report 
[L] Censor Pictures 


Narrative: 


Cancel 


The default name is Tag <#>, where <#> is an incremental number. 


2. Either in the Tags section of the Component list, select a tag and type a name in the Tag 
Name field, or in the Tag Properties dialog box type a name in the Tag Name field. 
The tag's default name is overwritten with the new name. You can rename any tag this way 
any time you like. 

3. In the Narrative field, add a narrative to describe either the contents of the tag or the reason 
you created the tag. 


252 


August 2021 Inspector User Guide 


Pictures, text messages, calls, .plist info, and so forth can all be tagged. Keep the examiner 
report in mind while you tag items. Tag similar items with the same tag to keep them together in 
the report. For instance, use tags to group pictures (one for censored and one for uncensored 
pictures), phone data, or Internet files together. 


Configure Metadata for Tags 


You can edit tags to choose the metadata to include for all files under each tag. Editing tags is 
faster and more efficient than proving this same information item-by-item. This allows you to 
choose metadata before you make a case report rather than when each tag is created. 


In the Tag view, click Configure to choose specific metadata to include. 


Tag Name: 


Narrative: Export Files with Report. 
(Censor Pictures 


——— eee acres Oey EELS OTT L — E 
From: macforensic@aol.com D 
To: jbennett mac@me.com 

Subject: Further IP address Information 

Received Date: 2011-01-04 20:38:46 (UTC) 

Sent Date: 2011-01-04 20:38:28 (UTC) 

Message ID: <8CD7A667ASAC60D-BD4-2177@webmail-d066.sysops.aol.com> 

Size: 551.3 KB 

Attachment 1: HowStuffWorks What is an IP address.pdf (application/pdf) (405.2 KB) 


From: "Bobby Rodriguez" <hotrOdr@icloud.com> D 
To: "Josh" <jbennett_mac@me.com> 

Subject: Parts? 

Received Date: 2018-12-14 14:21:36 (UTC) 

Sent Date: 2018-12-14 14:21:33 (UTC) 

Message ID: «21090879-987-423E-B326-BB3BCECB7FO1 @icloud.com> 

Size: 91.8 KB 

Attachment 1: IMG_0150,jpeg (image/jpeg) (28.7 KB) 

Attachment 2: IMG_0151,jpeg (image/jpeg) (35.1 KB) 


The Tag Content dialog box appears. 


When you configure a tag, any 
metadata that is available 


@ Tag Content 


Tag Name 
across all tag types appears in Media z 
the Include list. By default, the Tag Type 

PictureTag v 


current tag name is shown 


Include (drag to reorder) 


along with the tag type. You can BETID 
- FileSystemID 
also copy these settings to SizeOnDisk 
Extension : 
other tags. To arrange Custei dindUn 
i Date Changed 
metadata for a tag in order of p e 
importance, you can drag and tei d 
è : f 
drop them in the Include list. d 
Visible 
Locked 
> . £hwnar IN 
This order determines how they 
Copy these settings to: 


appear in the Tag view and thus 
the report. 


The Tag view shows specific 


Reset 


Exclude 


Close 


metadata items that are included by default along with the number of metadata items that can 


be included. 


s$ 


- Cellebrite 
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Tagging Evidence 


Inspector automatically assigns a keyboard shortcut to each new tag as it is created. For 
example, the first tag's shortcut is CMD+1 (Mac) or CTRL+1 (Windows), the second tag's shortcut 
is CMD+2 or CTRL «2, and so forth. 


There are many ways to tag evidence. Begin by selecting any item from one of the panes or views 
in the Case window, then use whichever approach you prefer. 


e Onthe menu bar, click Tags > Tag «Item Type» As. 

e Open the context menu and click Tag «Item Type» As. 

e Drag and drop the item from the Case window onto an existing tag. 

e Press the shortcut keys for a specific tag. To see shortcut keys for all the tags in the 
Component list, select an evidence item and then hold down the CMD key (Mac] or the CTRL 
key (Windows). 

e Press the shortcut keys for the tag last used, CMD+T (Mac) or CTRL+T (Windows). 


=) EVIDENCE Tagged files are marked with a tag icon. 


E eee In the Tags section of the Component list, a number badge 


shows how many items each tag contains. 
E] ACTIVITY 


E Evidence Status 
*» Export Status 


Ej TAGS 


*.. Email Q 
WV Calls & 
*. SMS e 
*» Tag2 eo9 


CONTENT SEARCHES 


E] INDEX SEARCHES 
9. New Index Search 


INVESTIGATIVE NOTES 
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Tagging File Content 


You can tag a piece of file content or parsed information without tagging the entire file. This is 
useful to tag items of interest parsed by Inspector or contained within .plist files, SQLite 
databases, and so forth. 


For each category in Actionable Intel, there is a corresponding tagging submenu (such as Device 
Backups, Device Connections, Air Drop, Apple Keychain, Apple Spotlight Shortcuts, and so on). 
Similarly, there are corresponding tagging submenus for each sub-view in Communications, 
Locations, Internet, Productivity, and System. Data tagged from Plugins is tagged as the data 
type Plugins. 


These are the other content-aware data types. 


Content Description 
Plist Data Individual items from within a Plist file 
SQLite Record Individual record from with an SQLite database 
Hex Data Hexadecimal data 
Text Highlighted text 


Under most circumstances, the parent file containing tagged file content is marked with a tag 
icon to indicate it contains tagged content. A single tagged .plist file item or a single tagged 
database record also has a tag icon that is visible in the File Content view, but some tagged 
content items, including tagged text snippets and hex data, do not. 


Tagged .plist items may appear to have some numbering inconsistencies. For example, if a 
single .plist item is tagged as item number 4, it may appear in Tags view and Case Report view 
as item number 0. This happens because .plist files store data in arrays. Data in these arrays are 
not stored with corresponding numerical values. 


Tagging Email 


If email previews must be included in the examiner report, you must tag the email from within 
the Email sub-view of the Communications view or from Index Search when the Type field is 
Email. Email tagged in any other view, such as File Filter or in search results, does not result in 
previews in a report. For more information, see these topics. 


e Inspector Preferences or Options 
e Generating and Exporting the Examiner Report 
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Tagging External Content 


External items such as a screenshot can be tagged and added to the case if necessary. 


If a file cannot be displayed in Inspector, export the file and open it in its native application. Take 
a screenshot and save it to the desktop. Select the appropriate tag in the Component list. Drag 
the file from the desktop and drop it into the Content pane. 


O A D Preboot 
ower Tag Name: | ag 2 |i "Configure 
Dev Narrative: E Export Files with Report 
DB Ree [I Censor Pictures 
E ACTIVITY Communications Message (2 items) az] 
MI Evidence Status sms n 
oo 
ese = 
UT 
z TU Date 2010-11-29 02:56:18 (UTC) = 
BS Date Rese: 2010-11-20 02:56:18 (UTC) 3 
[d 9 Date Delvered 2010-11-29 02:5618 (UTC) : 
*. Calls To 
© sus ©® |pm n 
T) j- 
zo 7 
CTS IGEN Sas Date: 2010-11-28 02:56:18 (UIC) = 
2010-11-29 02:56:18 (UTC) 
[E INDEX SEARCHES. red: 2010-11-29 02:56:18 (UTE) H 
‘New Index Search = — M 
Æ Strings [Preview $ Metadata Q Location Record | _| 
EE 
Field Value E 
LI 
‘ 
| 20210304.231045-5abde03 
The file is added to the selected tag as external content. 
second case.inspector = B x 


File Edit Action Tage View Manage Window Help 


E EVIDENCE 
Tg Name | og 2 ‘Configure 
[8] Ej Bennett-Computer-200520.£01 *y cd 
Narrative: Export Files with Report 
E ACTIVITY C Censor Pictures. 
I Evidence Status 
* por Status fe Read: 2010-11-20 02568 (UTC) 
ste Delivered: 2010-11-29 02:56:18 (UTC) 
ames E 
^. Email o D 
* Calis e 
& sms © | |portiinats:& Dog ¢ (47) 736-9491), Set 
Ce te T 
2010-11-29 02:38:18 (UIC) 
ate Delivered: 2010-11-29 02:56:18 (UTC) 
‘CONTENT SEARCHES 
E INDEX SEARCHES ELLOS) £i 


9. New Inde Search. 


INVESTIGATIVE NOTES. 


= BiHex Strings [Preview $Œ Metadata 9 Location = Record 


< > 
20210304.231045-5abde03 (o3) 


The only way to add external content to an Inspector case is by using this drag-and-drop method. 
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Microsoft > Windows > CurrentVersion > Policies > System. Double-click the EnableLUA key and - 
change the value from 1 to 0. 


The process of tagging large amounts of items happens in the background, which allows you to 
accomplish other work in the case. If you close the case while tagging Is still happening in the 
background, you can choose to keep the case open so you don't lose all items still in process. 


Tags View 


The Tags view is one of the most important views in Inspector. This is where evidence is 
organized before the examiner's report is created. For more information, see Reporting. 


Ej EVIDENCE 


= [m] Gl Bennett-Computer-200520 E01 


5 ACTIVITY C Censor Picture 


* Export Status Communications Email Message (2 items) =) 


n 


CONTENT SEARCHES. 


Received Date: 2018-12-14 14:21:36 (UTC) 
v | | Sent Date: 2018-12-14 14:21:33 (UTC) 
Message ID: <21090879-A987-423E-B326-BB3BCEC37F0! @icloud.com> 


Ei INDEX SEARCHES. 


Feld Value 


< >| im 
| 20210304.231045-5abde03 0of5) 


The Tags view is blank until tagged evidence is added. As tagged evidence is added, the Content 
pane is populated. 


These are options you can enable in the Tags view. 


Option Description 


Export Files With Report Export tagged files in the tag with the report 


Censor Pictures Blur images in the tag 


By default, tagged files are not exported when a report is generated. To export the tagged files, 
mark the Export Files With Report checkbox. 


Sometimes a case includes images that are sensitive or cannot be legally possessed by certain 
parties. Mark the Censor Pictures checkbox to blur these images. The images are visible in the 
Tags view, but the Report view and the report itself censors the pictures. 


You can expand or collapse items in the Content pane create 
more space to view other items. By default, items are 
expanded. In the upper right corner of each item in the 
Content pane, click expand or collapse. 
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These are the other options for tagged items. 


Description 


C Add a note to the selected tagged item 


B A tagged item has a note. Click to edit the note 


[5 A tagged item has associated metadata. Click to change the metadata selections included in 
the examiner report 


iU] A tagged item has a geolocation data. Click to add the location map along with the item. The 
icon will turn green if selected. 


Tagged items can be rearranged within a tag. Tagged items closer to the top of the list appear 
earlier in the examiner report. On the far right of the tagged item is a handle. Grab and hold the 
handle and drag the item up or down to move it in the list. Release the item in the appropriate 
position in the list. 


Flies (5 items) 


Name: AFC-Info.plist B 
Path: /AFC-Info.plist 

Size: 2047 (1.9 KB) 

Name: promotions.sqlite B 
Path: /mobile/Applications/com.naveenium.foursquare/Library/Caches/promotions.salite 

Size: 20480 (20.0 KB) 

Name: googleanalytics.sal B 
Path: /mobile/Applications/com.buzzfeed.buzzfeed/Library/googleanalytics.sql k 
Size: 28672 (28.0 KB) 

TEN T [d 
Path: /mobile/Applications/com.naveenium.foursquare/Library/Caches/DataDiskCache/cache.db D 
Size: 12288 (12.0 KB) 

Name: recents.db R 
Path: /mobile/Applications/com.google.GVDialer/Documents/recents.db D 


Size: 6144 (6.0 KB) 


You can move tagged items to other tags by dragging and dropping. Select a tagged item or 
multiple tagged items and drag them to another tag. A red number badge appears indicating the 
number of tagged items being moved if more than one item is selected. 


When items are moved to a tag in the Component list, a gray border appears around the 
destination tag name. When the items are moved to the correct destination tag, drop the items. 
The number badges for both the source and destination tags reflect their new tagged item count. 


35 of 35 additional metadata selected for reporting. ick the Configure bution to select which aditional metadata wil be displayed In reports. 


Name: a505d041575052023092066486a174901cc90e73 D 
— Path: UsersfostLibrary/Appicaton SupporuMcbieSync/Backup/2Scec0b41ta®7c03a5085afa5e 0843693560564- 201504 14-10017/a545de4157505282309A0664Bea17... 
==] 


cw $Metadata — 9 Location — Record 9 
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Deleting Tags 


Items can be removed from tags, and the tags themselves can be deleted. Open the context 
menu for a tag or a tagged item to see the menu options. 


For tagged items in any view, the menu shows every tag container that item is stored in and 
allows removal from all or some of the containers. 


inspector 


^ Tags View Manage Window Help 


E EVIDI 


E [m] E Bennet-Computer-200520 E01 


Ei ACTIVITY 


"il Evidence Status & @ Service Direction Date Subject Sender 
$ Export Status o 
JE going C) To 
& TAGS o ing 2010-1129 02:56:18 (UTC) To 
% Email @ sus Outgoing 2010-11-29 02:56:18 (UTC) To Paste Cuv 
*. Calls © sus Outgoing 2010-11-29 02:56:18 (UTC) To Poe 
* sus @ sus Outgoing 2010-11-30 19:33:57 (UTC) Ha, this is the de 
m @ ms Outgoing 2010-11-30 19:33:57 (UTC) EN 
@ m Outgoing 2010-11-30 19:33:57 (UTC) Ma, this isthe 
CONTENT SEARCHES @ ss Outgoing 2010-11-30 19:33:57 (UTC) 
@ ss Outgoing 2010-11-30 19:33:57 (UTC) SE this isthe Find Identical Files 
E INDEX SEARCHES @ ss Outgoing 2010-11-20 19:33:57 (UTC) File History. 
New Index Search 5 6 sus Outgoing 2010-11-30 19:33:57 (UTC) Ma, this is the 
Feld Value lv 


BETID: 1815017 a 
FileSystem.. 417959 To 
Name: chatdb 


Path: /User/joch/Library/Mescages/chatdby 
< > 
20210304.231045-5abde03 


(1 0F 6,225) - /Racer- Data/Users/josh/library/Messages/chat.db. 


In the Tags view, you can remove an item from a tag. Select the item and press DELETE, or in the 
menu bar click Tags > Delete Selected Tag Item. 


In the Tags view, you can remove all tagged items from a tag but keep the tag itself. Select all 
the items in the tag and press DELETE. 


In the Tags view, you can delete a tag and remove all items in that tag from the case. Select the 
tag in the Tags view and press DELETE, or in the menu bar click Tags » Delete Selected Tag. 


ag 


i; Cellebrite 297 


Version 10.4 Reporting 


This chapter provides these topics about reporting in Inspector. 


e Report View 
e Tags and Tagged Items 


e Reporting Device Details 
e Generating and Exporting the Examiner Report 


Report View 


In the toolbar, click Report. Options for the examiner report appear along with a report preview. 


B celebrite ED *.' Cellebrite 25: 


oe Ee Digital Forensics Report 


Case Name | Inspector Case 
ccs | 
ReportDate | 2021-03-18 
Examiner Name 
Examiner Tite | 
Examiner Company 


Examiner Address 


Examiner Email 
Examiner Phone 


Examiner Fax 


| 


You can create a simple report that details all of the information without first tagging everything 
in the case. In the report side bar, click Case Data in the Report Elements section. This lets you 
quickly select everything or select only certain things to report on. To select all or none, press 
SHIFT while you click on the report element header. 


You can customize the report logo by dragging and dropping a new logo on top of the Cellebrite 
logo. Alternatively, you can click the logo to select a new one. 


You can select evidence items to report on, then click Configuration (the wheel icon) to the right 
of Case Data. Choose Selected evidence items from the menu, and only those items will appear 
in the report. 


Report Elements Export 


"aa ner Digital Forensics Re 


I © thee 


> E pagetfile.sys 
> ^ B hiberfil.sys 
> ^ *. Evidence Tags i 
v v NN Case Data 
Apps 
Audio 
Calendar 
Calls 
@ Contacts 


@ Device Backups Case Number 
Device Connections 


LII v All evidence items 
Selected evidence items, currently (2) (6) (7) (10) 


Include case data from 


Case Name | Bennett 
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HTML reports are broken down into smaller pages to make it easier to load into web browsers. 


Items in the Report Elements list correspond to items in the Case Info view, and the Evidence 
and Tags sections of the Component list. You can include a table of contents that links to each 
section of the report. The Contents section links works in reports exported to .html, .pdf, or .docx 
format. 


To include or exclude Report Element items from the examiner report, mark or unmark the 
checkbox to the left of each item. To change the order of items in the Report Elements list, 
select and drag the items up or down and release them in the appropriate location. Report 
elements appear in the examiner report in the order that they are listed; elements at the top of 
the list appear first in the examiner report. Move important elements or evidence to the top of 
the list to include them earlier in the report. 


Tags and Tagged Items 


Select and drag the tags up and down to change the order in which tags and tagged items 
appear in the examiner report. While you can reorder tags in the Report view, individual tagged 
items within each tag cannot be reordered in this view. 


To reorder individual items within a tag, in the Tags section of the Component list, select the 
appropriate tag. On the right side of each tagged item, click and hold the handle (three gray 
horizontal hash marks], drag the item up or down, and release it in the appropriate location. To 
see the item's new location in the report in the examiner report preview, click Report in the 
toolbar. For more information, see Tags. 


To see both the Tags section and the Report view at the same time, on the menu bar click 
Window » New Window for this Case. Place the two windows side by side. Select a tag in one 
window, and on the toolbar in the other window, click Report. In the Tags window, select a tag 
and reorder the items within the tag. In toolbar of the Report window, click Report to refresh the 
report preview. Tagged items appear in their new order in the report. 
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Reporting Device Details 


You can show or hide data associated with each device listed in the Report Elements section. 
Note that disk image partitions and unallocated space are listed separately in the Report 
Elements list, and a checkbox appears to the left of each. Conversely, each device representing a 
logical acquisition, such as an evidence folder or an iOS device backup, normally has only one 
data item with one checkbox associated with it. 


i. Cellebrite ize 


Digital soeraics Spot I 


IUsersicrew/DesktopInscector Cate inspector/Partitons/A7 1365073 FG92ESFAAE 1AGBÜAFOBAAOTIAT 
1365073F692ESFAAE tAGBDAFSBAAD'/Files. 


Type | iOSBackupEncryptod 


Sector Size | 512 


Initial Report Writer Case 
Version | Inspector 10.3 


Name | Thos 
Snapshot | Not Available 
Snapshot Date | Not Avaliable 
Model Version | iPhone 8 (Model A1B63, A1905, A1908, A1907) 
Carrier | Not Avaiiablo 
Capacity | Not Available 
Phone Number | (240) 494-6399 
Collular Usage | +14083340589, «16475639559, +12404948399 


Data Avallable | Not Available 


Dats Used | Not Avaliable 
OS Version | 135 


Product Type | iPhone10,t 


Model Number | Not Available 


To include or exclude device details in the Details view of the report for any partition, either mark 
or unmark the checkbox for any partition in the Report Elements section. 


Device details from the Details view cannot be included or excluded individually via the Inspector 
Report view. However, these items are exported separately. Therefore, you may delete them as 
necessary after the report is generated and exported. 
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Generating and Exporting the Examiner Report 


In the top left corner of the Content pane, set the Report Date to the current date, and then 
select an export file format for the report. Examiner reports can be exported as searchable .pdf, 
.html, .docx, .csv, or plain text files. 


Note: Natively rendered chat histories (graphic representations) are also searchable. 


To preview the report prior to export, drag the scroll bar on the right side of the Content Pane up 
or down (using the scroll bar navigation arrows at the bottom of the scroll bar). 


For email previews to be included in reports, you must enable them on the Reports tab of the 
Preferences or Options window for Inspector. For more information, see Inspector Preferences 
or Options. Additionally, the emails must be tagged either within the Email sub-view of the 
Communications view or from Index Search when the Type field is Email, and you must also 
mark the Export checkbox in the Report view. 


After all settings are set as desired, click Generate Report. A Save prompt appears. 


Inspector exports the examiner report to a folder with the default name /nspector Report «current 
date and timestamp». To change the default folder name, type a new folder name into the Save As 
field. Choose a location to save the report and click Save. 


When the report generator finishes creating the report, a Report Complete dialog box appears. 
To see the exported report in the file system, click Reveal Report. To open the report, click Open 
Report. You may view, search, and modify the exported report in an appropriate application, such 
as Microsoft Word (.docx report) or a web browser (.html report). The report folder contains the 
report itself and an Evidence folder. The Evidence folder contains exported files associated with 
tags where the Export checkbox within the Report Elements list was checked. The Evidence 
folder also contains an Export Log. txt file. 
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Portable Cases 


This chapter provides these topics about portable cases in Inspector. 


e Select Data for the Portable Case 
e Generating and Reviewing a Portable Case 
e Portable Case Interface 


Select Data for the Portable Case 


Inspector's Portable Case feature lets you share case data for offline review. A portable case 
does not rely on access to the original evidence files. Instead, logical evidence files are created. 
These include only data selected for sharing as part of the portable case file. 


To create a portable case file, click Share on the toolbar. From the evidence items parsed listed 
in the Component list, select the evidence to include in the portable case. The Content pane 
contains these areas: Extracted Data, Tag, and Search. By default, all data in each area is 
selected for inclusion. 


v qos 


B Bof 


Include Portable Case Reader for: Él Windows — f) Mac Exporting data from 1 of 6 evidence items, 
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Extracted Data 


In Extracted Data, sections of Inspector where 
data is parsed are listed, including Actionable 
Intel, Communications, Media, Locations, 
Internet, and Productivity. For each section, 
the associated processing options must be run 
for data to be parsed. For example, if Video 
Analysis has not been run, no Videos will be 
listed for extraction in the Media section. In 
parentheses after each section label, the 
number of items parsed for that label is listed. 
If the number of items for a section is listed as 
(0), either no data of that type was parsed from 
evidence or the processing option to parse that 
data has not been run. As items are selected 
or deselected in the Component list these 
numbers automatically adjust. 


For each Extracted Data type selected, the 
associated files are exported into a logical 
evidence file for inclusion in the portable case. 
For some Extracted Data types, such as Media, 
the number of files and the size of the files for 
an evidence item can be quite large. Keep this 
is mind while you choose data to include in 
portable cases. 


You can show or hide sub-views parsed for 
each type of Extracted Data type. Some sub- 
views, like Downloads in Actionable Intel, have 
additional sub-views. To exclude an Extracted 
Data type from the portable case, unmark the 
checkbox for that data type. 


At the bottom of Extracted Data, you can mark 
the checkbox for Limit Extracted Data to date 
range. Do this to limit the data included in the 
portable cased to a time period of interest to 
the reviewer. Limiting the data based on a date 
range may be useful in cases where the 
reviewer is only allowed to see items from a 
specific period of time. With this enabled, the 
number of items for each Extracted Data 
section is adjusted to show the number of 
items that fall within the specified date range. 
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Extracted Data 
v © @ Actionable Intel (753) 
(] Device Backups (2) 
JŽ Device Connections (0) 
v © Q Account Usage (2) 
@ Cellular Usage (2) 
@ Top Contacts (0) 
@ User Accounts (0) 
> C d Downloads (0) 
e (& File Knowledge (749) 
v O @ Passwords (0) 
1 Æ Apple Keychain (0) 
> C &$ Program Execution (0) 
> C Q Search (0) 
v © & Communication (40) 
A, Calls (40) 
.| @ Messages (0) 
~) gl Posts (0) 
| ao Voicemail (0) 
~) & Voice Memo (0) 
| W& Favorites (0) 
~) ¥ Contacts (0) 
.] £8 Email (0) 
v © 33 Media (203) 
~) (aj Pictures (0) 
B videos (203) 
| EE Thumbnails (0) 
fja Combined (0) 
| ff Audio Files (0) 
v © ijs Locations (57) 
Wl Map View (0) 
o% Location List (0) 
= Wi-Fi (57) 
X Mapping Apps (0) 
v © Q internet (68) 
B® Bookmarks (0) 
$2 Cache (0) 
~| @& Cookies (0) 
T] & Downloads (0) 
~) Il Form Data (0) 
~) @ History (0) 
© Last Session (68) 
~| Q Recent Search (0) 
~] Ww Top Sites (0) 
v © @ Productivity (25) 
~) & Calendar (0) 
ES Notes (25) 


Limit Extracted Data to date range: 


to 
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Tags 


All tags the examiner created in the case files appear in the Tag section. The name of the tag 
appears with the number of items included in the tag. Just like creating a Report in Inspector, 
there is an option to Export Files for each tag. When this option is chosen, the files associated 
with the tagged data are export into the portable case, stored in a logical evidence file. Tagged 
data overrides any date range specified in Extracted Data. Tags selected are included in the 
portable case even if the tagged data does not fall within the specified date range. 


Search 


The Search section in the Share view lists the content searches that were performed. Content 
searches locate data based on keywords. This mechanism can be used to effectively limit the 
data in the portable case based on keywords of interest to the reviewer. While content searches 
cannot be limited by a date range in the Share view, data can be filtered when running a content 
search by date. 


Saved Searches: 
Options 
Search: Content only i 
Case Sensitive 
Any Unicode (UTF16) 
Date Created is between 1/ 1/2019 2 "M and 12/30/2019 7 "A Deep Search @ 
Date Modified is between 1/1/2019 7 PM and 12/30/2019 > A Skip Files Larger Than: 
Date Added is between 1/1/2019 2 M& ang 12/30/2019 ^ Ma 2 ce B 
m. ^ ^ uu ^ Wü 
Date Accessed is between 1/1/2019 7 "Land 12/30/2019 7 f% Report Only First Hit on File 
Files that Match Filter 
Current Unsaved Filter 
Regular Expression Keyword 
Add Preset: 


Selected Keyword is RegEx Pattern 


Content searches selected for inclusion are available in the portable case. 
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Generating and Reviewing a Portable Case 


Once items have been selected to be included in the portable case, you can choose which 
Inspector Portable Case readers will be exported with the portable case data. By default, 
Portable Case readers for both Windows and Mac computers are selected. Leave them both 
selected if you don't know exactly which platform will be used to review the case. Click Generate 
Portable Case. 


Include executables: E Windows Mac Exporting data from all evidence items Generate Portable Case 


If indexing was run on the evidence items selected for export, a new index will be created 
containing only the evidence items that fit the criteria for inclusion. The default name of the 
portable case file is taken from the name of the Inspector case file. When one or more reader is 
included, a folder is created for the portable case which contains the portable case file and the 
readers. The folder name matches the portable case name. 


Once portable case generation begins, the bottom of the Content pane shows the status. The 
data is prepared and then exported into a .PortableCase file. Like an Inspector case file, on Mac 
computers the .PortableCase file is a bundle that contains files and folders. The .PortableCase 
file is created in a folder along with the selected readers in a compressed format. If no readers 
were included, only the .PortableCase file is created. This example shows portable cases created 
with both readers included, one reader included, and no reader included. 


Name Size Kind 
v Bennett -- Folder 
E Bennett.PortableCase 28.32 GB Portable Case 
i Portable Case 10.1 macOS64.zip 1.08 GB ZIP archive 
i Portable Case 10.1 win64.zip 1.17 GB ZIP archive 
v Search -- Folder 
i Portable Case 10.1 win64.zip 1.17 GB ZIP archive 
E Search.PortableCase 27.48 GB Portable Case 
@ Tag.PortableCase 255.9 MB Portable Case 


The size of the portable case depends on what data was included in the export. 

Reviewing a Portable Case 

Once a portable case is created, you should open it with Inspector to review the contents and 
ensure the appropriate data was included. If any information was missed when the portable case 


was generated, you must create a new portable case. Data cannot be added to a portable case 
file. 
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Portable Case Interface 


The Inspector Portable Case reader resembles Inspector. When you open a portable case file 
with Inspector, some functions of Inspector are disabled, in effect creating an experience similar 
to the Portable Case reader. 


Menu Bar 
Options in the menu bar provide access to limited functions. From the menu bar, you can open 


and close cases, save file listings, export selected rows (in tab-delimited or csv format), and 
perform tagging functions. 


€ Inspector Edit Action Tags View Window Help 


eoe Open Case... 360 
Recent > 


Case Info Timeline Repor 


@ Inspector File Edit Tags View Window Help 
eoe Save File Listing... 
Copy Path 


Case Info Timeline Report 


é Inspector File Edit Action View Window Help 
e^e Delete Selected Tag... 


© eo B 


Case Info Timeline Report 
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Toolbar 


The toolbar is used to select the view to show in the Content pane. Some buttons always appear. 
Other buttons appear only if data corresponding to them was selected or if tags were exported 
when the portable case was generated. For each data category selected, the corresponding 
button appears. If a portable case contains data only from exported tags and none from 
Extracted Data, the icons correspond to the data contained in the exported tags (with one 


exception). 
Button | Description 
See case details, including Examiner Information, Case Information and Case Time Zone 
Display. 


AREA | YOU may change the Case Time Zone Display. 


Always appears. 


See the examiner report. 
You can generate new reports containing information identified during the review process. 


Always appears. 


See the files included in the portable case, stored in the same structure as the original file 
system. 

You can navigate through the file structure containing the exported files. You can see file 
timestamps, sizes, extensions, and hash values. You can select a column heading to sort 
files by the column attribute. 


Always appears. 


See the file filters from Inspector. 


Y While all file filters are listed, they do not all work. Portable cases maintain limited 
metadata. For example, geolocation metadata is not stored in portable case. The built-in 
21-2112 | saved filter Geo Location is still available in portable cases, but running it returns no 
results. The File Information pane topic lists available metadata. For more information, see 
File Filters. 


Always appears. 


See various types of data that can mostly be attributed to a user's actions. The data is 
stored in a tree style menu with sub-views of these items. 


e Device Backups 

e Device Connections 
e Account Usage 

e Downloads 

e File Knowledge 

e Passwords 

e Program Execution 
e Search 
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Button | Description 


See sub-views containing calls, messages, posts, voicemail, voice memos, favorites, 
contacts, and email. This includes data parsed from SMS, iMessage, and messages from 
other communication apps such as Skype, WhatsApp, Textfree, Kik, and so forth. 


See sub-views containing Pictures, Videos, or Thumbnails, or use the Combined sub-view to 
AN see all these together. The Videos sub-view includes the 4 x 4 mosaics made up of sixteen 
frame-sequence slices. The Audio sub-view lets you see and play audio files. 


This view is available only when Media is selected in the Extracted Data section during case 


Media generation. Tagged media does not populate the Media view in a portable case. 


See this data. 


© e Google and Apple Maps usage 

e geolocation data from media files, calendar and social media apps 
Se |e Wi-Fi network information 

e additional location services data 


See internet history and cache information for Safari, Firefox, Chrome, Internet Explorer, 


e and Edge browsers. 


The Internet view displays exported information associated with Safari, Firefox, Google 
Menag | Chrome, Internet Explorer, and Edge web browsers. 


See data from the Calendar and Notes applications (macOS and iOS}. 


Exported search items do not affect the views available in the toolbar. Data included in the 
portable case by means of a content search is accessible in the Browser and File Filter views. 


Component List 


The Component list includes these sections. 


e Evidence 

e Content Searches 
e Index Searches 

e Tags 

e Investigative Notes 


Just as with Inspector, the Evidence section of the Component list contains a hierarchical device 
list. Only evidence items selected when the portable case file was created are listed. The original 
badge numbering from Inspector file transfers to the portable case. In a portable case, evidence 
items can be reordered by highlighting a specific item and dragging it up and down in the List. 
New evidence items cannot be added to the portable case. To review the data in the devices or 
device partitions, they must be selected in the Evidence section. 
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The Tags section of the Component list provides access to Tag data included in the portable 
case. Tags exported during portable case generation cannot be altered. The case reviewer can 
create, edit and delete new tags in the portable case. 


The Content Searches section of the Component list allows users to create content searches and 
displays content searches exported into the portable case. Any new content searches are saved 
in the portable case file. To create a new content search, click Add. For more information, see 
Search. 


The Index Searches section of the Component list provides access to the Smart Index. If the 
exported data was indexed in the Inspector case, the portable case will contain a Smart Index. 
Queries of the Smart Index are saved in the portable case file. To create a new Index Search, 
click Add. For more information, see Search. 


The Investigative Notes section of the Component list provides an area for the case reviewer to 
copy and paste or type in information they wish to note during the case review. To create a new 
Investigative Note, click Add. 


Y EVIDENCE 


v & Bennett-Computer-20052... 

i Racer - Data 
& © Racer 
A © Bootcamp 

@ © Bennett-Mem.dmp 

a The6 

a Tenisha's iPhone 

@) Ford iVeExport.ivx 


Y. Calls 
CONTENT SEARCHES 


Y INDEX SEARCHES 


Q| walking dead 


Y INVESTIGATIVE NOTES 


Xt New Investigative Note 1 
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Content Pane 


Portable Cases 


Information displayed in the Content pane depends on the view selected in the toolbar and the 
devices selected in the Evidence section of the Component list. This example shows the Browser 


view. 


Name Date Created. Date Modified 


> © BooTCAMP 2009-07-14 02:38:66 (UTC) 2019-11-05 17:49:14 (UTC) 
Y BB © Racer - Data. 2019-09-29 20:23:20 (UTC) 2020-04-14 16:54:05 (UTC) 
Y B Applications 2019-09-29 20:23:29 (UTC) 2020-04-14 15:49:47 (UTC) 
Y Z3 Gigatribe.app 2009-11-09 16:11:10 (UTC) — 2009-12-03 10:41:00 (UTC) 
Y È Contents. 2009-11-09 16:11:10 (UTC) — 2009-11-10 11:44:12 (UTC) 
> [i Resources 2009-11-09 16:01:25 (UTC) 2009-11-10 12:00:58 (UTC) 

Y E33 Tenisha's iPhone. 
Y B private 2018-03-14 12:24:57 (UTC) 2018-04-25 18:09:00 (UTC) 


a 2018-04-25 18:03:18 (UTC) — 2018-11-30 19:26:41 (UTC) 
Y (mobile 2018-04-25 18:08:37 (UTC) 2018-11-30 19:28:17 (UTC) 


> (Containers 2018-04-26 18:08:39 (UTC) 2018-04-25 18:10:16 (UTC) 
Y G ibrary 2018-04-25 18:08:37 (UTC) 2018-11-30 19:29:41 (UTC) 
> B CallHistoryoB 2018-04-25 18:08:39 (UTC) 2019-02-20 18:57:44 (UTC) 

> [39 thes 


Date Accessed 
2019-11-08 18:41:16 (UTC) 
2020-08-08 20:52:47 (UTC) 
2020-04-14 15:86:07 (UTC) 
2019-10-07 17:65:48 (UTC) 
2019-10-08 16:56:23 (UTC) 
2019-10-08 15:56:23 (UTC) 


2018-03-14 12:24:87 (UTC) 
2018-10-20 03:59:12 (UTC) 
2018-10-20 03:58:52 (UTC) 
2018-04-25 18:08:39 (UTC) 
2018-10-20 03:58:61 (UTC) 
2018-04-25 18:08:39 (UTC) 


Date Added Version Index Size Extension Coni 


This example shows the Thumbnails sub-view in the Media view. 


Thumbs.db Thumbs.db Thumbs.db en db 


is imbs.db. e imbs.db. ‘Thumbs.db 


XS Lir e 
Thumbs.db Thumbs.db Thumbs.db Oats 


‘Thumbs.db 


9g 
Thumbs.db 


a 


J €x €x 
Thumbs.db Thumbs.db Thumbs.db 
D e E 
og ©; 
Thumbs.db Thumbs.db Thumbs.db 


CY me ~~ 


e ec 
es db ‘Thumbs.db Thumbs.db 


The views for Actionable Intel, Communication, Media, Locations, Internet, and Productivity have 
a file filter. To show or hide the file filter, click Show/Hide Filter (three arrows) at the top right of 
the Content pane. When the Show/Hide Filter button is black, no filter is applied. While at least 


one filter is applied, the button is green. 
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File Content View 


With a file selected in the Content pane, the File Content view provides two options to see the 
selected item, Strings or Preview. 


To see ASCII printable strings of three characters or more, click Strings. 
To see a file as it would appear in its native application, click Preview. 


If the selected file is a text file, 
you can perform a keyword 
search within the displayed text 
strings in both the Strings view 
and Preview views. 


stCon2 stron 


Only on Mac computers you can we UE 

see the file using Quick Look. In the Content pane, select a file and then in the File Content view, 
click Quick Look (eye button). Quick Look shows native Apple application files (and some third- 
party application files) the same way a user sees them. Audio and video files play within Quick 
Look as well. 


File Information Pane 


The File Information pane shows metadata associated with a file selected in the Content pane. In 
a portable case file, the shown metadata is limited to common file system metadata, some 
filesystem metadata unique to APFS and HFS+, and some metadata stored for the file from 
Inspector processing. These fields are available for files in the File Information pane: 

e BBTID - The reference ID of a given file e Date Modified 


or folder within Inspector's casefile e Date Accessed 
database e FileSystemOffset 
e FileSystemlD - The filesystem ID parsed e fsType 
from the file record e Directory 
e Name e Visible - Displays hidden/visible status 
e Path e Locked - Displays locked/unlocked status 
e Size - Logical size (e.g., read-only] 
e  SizeOnDisk e Owner ID (macOS, iOS] 
e Extension - File extension stored in file ^ e Group ID (macOS, iOS) 
system e Permissions (macOS, iOS) 
e Content Extension - Displays the e Entropy 
extension based on content header [file ^ e ForkCount 
signature] e MD5 
e Date Created e SHAT 
e Date Changed e SHA256 
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Accessing Portable Case Files 


When you install Inspector, you are provided with .zip files containing the portable case readers 
for Mac and Windows computers. 


E= Inspector 10.3 > (9 EWMounter t InspectorPortableCase-10.3-macOS64.zip 
Inspector i InspectorPortableCase-10.3-win64.zip 


G Inspector License Server 


| LICENSES > 
E PLUGINS > 
Bi Portable Case > 


=æ User Guide.pdf 


When the checkboxes for including the executables for Windows and Mac are marked, these .zip 
files are copied into the folder created for the portable case when it is generated. 


[include executables: Windows Mac | Exporting data from all evidence items Generate Portable Case 


The case reviewer should decompress the .zip file for the version of the Portable Case reader 
appropriate for the platform of their reviewing computer. 


Inspector Portable Case readers cannot open Inspector case files, do not require installation, 
and do not require an Inspector license. 
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Hash Set and File Signature DB Management 


This chapter provides these topics about hash set and file signature database management for 
Inspector. 


e Hash Sets 

e File Signature Databases 
e PhotoDNA and Project VIC 
e CAALL 


e Semantics21 


Hash Sets 


Cellebrite provides hash sets for use in Inspector from our website. The hash sets include a 
Known OS X System Files hash set and a Known Windows System Files hash set. The Known OS 
X System Files hash set includes MD5 hashes for every system file from OS X 10.0.0 through OS 
X 10.15.7 for Intel architectures. The Known Windows System Files hash set includes MD5 
hashes for Windows version 7, 7.1, 8, 8.1, and 10. 


All hash set databases include only unique file hashes. 


By default, hash sets are saved in the /Application Support/Cellebrite/Hash Sets folder. This folder 
is found in these locations, depending on the operating system of the analysis computer. 


e macOS: /Users/«username»/Library/Application Support/Cellebrite/Inspector/Hash Sets 
e Windows 10: C:\Users\<username>\AppData\Roaming\Cellebrite\Inspector\Hash Sets 


You may also import existing custom Inspector (.blhs), EnCase (6.19 and lower), and NSRL hash 
sets. Hash sets saved as plain text documents may be imported, as long as the document 
contains one hash value per line with each line separated by a carriage return. Hashes contained 
in a plain text document can be MD5, SHA-1, or SHA-256. Inspector automatically identifies the 
hash type when the file is imported. Custom hash sets created in Inspector are automatically 
saved in the .blhs format and are available for use in all Inspector cases. 


To view and manage hash sets in Inspector, in the menu bar click Manage » Hash Sets. 


There are two ways you can add an Inspector .blhs format hash set. 


e Inthe bottom left corner of the Manage Hash Sets window, click Import and navigate to and 
select the desired hash set. 

e From Finder on Mac computers or File Explorer on Windows computers, drag a hash set 
onto the Manage Hash Sets window. 


You cannot remove bundled Inspector hash sets; however, you can remove custom hash sets 
created using Inspector or imported hash sets. 


e Toremove a hash set, select a hash set in the list, and in the bottom left corner of the 
Manage Hash Sets window click Remove. 
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You can import an Encase, NSRL, or text file hash set. 


e Inthe bottom corner of the Manage Hash Sets window, click Import. Navigate to and select 
the hash set, and then click Open. 


You can generate and save a custom hash set from specific files in any Inspector view. 


1. Select the files of interest either manually, by running a filter, or by selecting all files in the 
case. 
To generate a hash set of every file in a case, open the Browser view, and then select the root 
folder (at the top of the file list). 

2. Inthe menu bar, click Action » Export Hash Set. 

3. In the Hash Set Export window, select which hash values to store in the hash set, and then 
click Continue. 


Hash Set Export 
Select hash sets to export. 
MD5 


SHA-1 


SHA-256 


4. Type the name of the hash set, then click Save. 


Before you run a custom hash set, you should know if the hash set contains SHA-1 or SHA-256 
hash values. By default, Inspector only runs hash comparisons using MD5 hash values. You can 
change the Hash Comparison settings on the General tab in the Preferences window. For more 
information, see Inspector Preferences or Options. 
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When this preference is set correctly, you can run this process. 


1. Select Evidence Status in the Component list. 


Y ACTIVITY 


C] Evidence Status 


*» Export Status 


CONTENT SEARCHES 
INDEX SEARCHES 


INVESTIGATIVE NOTES 


2. Forthe appropriate device, click the yellow Play button next to Known Files. 

3. In the Hash Sets window, mark the checkbox for the custom hash set, click OK, and wait for 
processing to complete. 
The Known Files column shows Pending until the process is complete. 

4. When the process is complete, select the device in the Component list, and then click File 
Filter in the toolbar. 

5. Inthe field on the left, select Hash Set, then choose either Files In Hash Set and Files Not In 
Hash Set in the middle field. 

6. Inthe field on the right, select the custom hash set by name, and then click Filter. 


You can repeat this process on multiple devices and compare the results. 
You can rerun a hash set even if it shows as complete in the Hash Sets window. 


1. Ona hash set is shown as Complete, open the context menu and click Rerun. 
2. Now you can mark the checkbox for that hash set and run the hash set again. 


All + condition + (group) 
L rash set Files in Hash, Known Windows System Fl x 
Invert iter Ignore Folders and Duplicate Files Reset Save This Fiter GENAD 
: BLID ^ FSID Name Size Mos Date Created Date Modified Date Accessed Date Ac 

@ m 28 — $Repair 9.0MB DAIDSCDGGFO0B204E9800998ECFG.. 2018-12-17 17:05:48 (UTC) 2018-12-17 17:05:48 (UTC) — 2018-12-17 17:08:48 (UTC) 

e 757 59974 desktop.ini 129 Bytes A52089E7C71083489D8CCOG2FBCE.. 2018-12-17 14:54:11 (UTC) 2018-12-17 14:54:11 (UTC) — 2019-01-24 20:15:07 (UTC) 

@ 79 87003 desktop ini 129 Bytes A526B9E7C7168348908CC062FBCE... 2018-12-17 17:28:53 (UTC) — 2018-12-17 17:28:63 (UTC) — 2018-12-17 17:28:53 (UTC) 

e 7e 89100 desktop.ini 129 Bytes A52689E7C71683489D8CCOG2FBCE.. 2018-12-17 14:02:31 (UTC) — 2018-12-17 14:02:31 (UTC) — 2019-01-25 18:07:56 (UTC) 

e 79 169414 desktop.ini 129 Bytes A52680E7C71683489D8CCOG2FBCE.. 2019-01-25 15:31:22 (UTC) 2019-01-28 16:31:22 (UTC) — 2019-01-25 15:35:05 (UTC) 

Q w 162022 msvcpi20.dil 6447KB 460GOC3SF6972818C5t7337AEE372.. 2019-01-25 16:37:43 (UTC) 2013-10-05 03:58:24 (UTC) 2019-01-25 17:04:02 (UTC) 

Q ss 162036 msvcri20 dil 940.7KB OCBG1CO79DD8176286C54E3759787.. 2019-01-26 16:37:43 (UTC) 2013-10-05 03:58:24 UTC) 2019-01-25 17:04:02 (UTC) 

€) 1883 20996 ipsid.xm! 25KB 4218808886696606027618E75869F.. 2018-04-11 29:36:07 (UTC) 2018-04-11 23:95:07 (UTC) 2018-04-11 23:35:07 (UTC) 

© wes 20018 Alphabet.xml 7729KB GI76656CADGAZISEDG7ODSBDG3D3.. 2018-04-11 23:35:07 (UTC) 2018-04-12 09:20:29 (UTC) 2018-04-12 09:20:29 (UTC) 
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File Signature Databases 


You may create custom file signature databases and apply them during unallocated processing. 
By default, custom signature databases are stored as SQLite files in these locations. 


e onmacOS: ~/Library/Application Support/Cellebrite/Inspector/UASignatureDBs 
e on Windows: /Users/«username»/AppData/Roaming/Cellebrite/Inspector/UASignatureDBs 


1. To create, add or remove a custom signature database, in the menu bar click Manage > File 
Signatures. 

2. Inthe File Signature Management window appears, expand each category to see extensions 
for each category. 

3. Select an extension from the list, and the panes at right show a description and file signature 
information for the extension. 


File Signature Management 
si Format Fi 

€ fi Archives om requency (Use) Device Independent Bitmap File 
8 Audio Generic Windows or OS/2 bitmap graphic; supports 1, 4, 8, and 
= 24 bits per pixel if the image is uncompressed and 4 and 8 bits 

pounera per pixel if the image uses RLE compression; a 24-bit DIB image 
G File System contains 8 bits, or 1 byte for each RGB color. 

Ill Pictures 
3DMF QuickDraw 3D Metafile Uncommon 


@ asc Micrografx ABC FlowCharter... Uncommon 
Al Adobe Illustrator File Very Common 
ART AOL Compressed image File Common 
BLEND Blender 3D Data File Common 
CAL CALS Raster Graphic Common 
CAM CASIO Digital Camera Picture ... Rare 
CPT Corel Photo-Paint Document Common 
DCX Zsoft Multi-Page Paintbrush File Uncommon File Signature Information 
DPX Digital Picture Exchange File Common Header(s) Footer(s) 
DRW Drawing File Common 424D 
EMF Enhanced Windows Metafile ‘Common 
EPS Adobe Encapsulated PostScri.. Very Common 
GIF Graphical Interchange Format ... Very Common 
@ Icns Mac OS X Icon Resource File Very Common 
IMG GEM Image Rare 
JIF JPEG Image File Uncommon 
JP2 JPEG 2000 Core Image File Common 
JPG JPEG Image File Very Common 
MNG Multiple Network Graphic Common 
MSP Microsoft Paint Bitmap Image Common 
PBM Portable Bitmap Image Common 
m ocn Mariak Dhata ON Imana Fila Comman 
+ New Group Uncheck All Cancel 


To create a new file signature database, in the bottom left corner of the File Signature 
Management window, click New Group. A new signature database with the default name 
UserDefinedSignatures appears in the database file list. 


To add a new file signature to an existing database, select a user-defined database in the File 
Signature Management window. 


1. Click + (add) in the lower left of the window, and a separate signature definition window 
appears. 
2. Provide data in each field, then click OK. 


To remove an existing file signature, select the signature, then and click - [remove]. 


You can remove a file signature database from the current case. This permanently removes the 
database and cannot be undone. You cannot remove a database while a processor is running. 


e Select the database file in the list, and in the bottom left corner of the File Signature 
Management window click - (remove]. 


278 


August 2021 Inspector User Guide 


PhotoDNA and Project VIC 


Authorized law enforcement users can obtain the Project VIC robust hash set and import that 
into Inspector to perform PhotoDNA test comparison against case photos. Project VIC Version 
2.0 is supported. 


INOLC: | I je | 248) [ENE I mesmsetmustbe oDutt ed Tonm Pr Ke 


Signup and registration are offered through ICAC Cops Portal (ICAC) (ICE) (USPIS) (FBI). You 
must have an account on the ICAC Portal. To request membership in Project VIC, see 
https://www.icaccops.com/users/Login. The request must be approved by the ICAC Commander 
or designated Federal Administrator. 


Before you add the Project VIC hash set to Inspector, you must set the appropriate Project VIC 
country. You can do this on the Project VIC tab on the Preferences window. For more 
information, see Inspector Preferences or Options. 


ote: E ach set MUSI be 


Add the Project VIC Robust Hash Set to Inspector 


1. Inthe menu bar click Manage > Menace 
Hash Sets. Import a hash set which contains MD5 hashes. Each MD5 must appear on its own line in the hash ©) 
2 Cli k | t d th l t th list. It is also possible to import Project VIC JSON files which can be used to better filter pictures 
: ick Import and then select the and videos. 

PROJECT VIC 
json file you obtained from Hash Set Name Categories Source Updated Records 
Project VIC. 

You cannot change the name of 
the hash set. 
When import is complete, Inspector 
shows how many hashes were 
successfully imported. 
To import multiple sets, repeat this L 
procedure. The hashes are appended —————— an ers 


to the previous entry. 


If an entirely new hash set becomes available, you must remove the PhotoDNA hash set before 
you import the new version. Once the hashes are imported, the Manage Hash Sets window 
reflects the newly added PhotoDNA hash set. 


When you use the PhotoDNA hash set for the first time, you must provide your password. 
1. Login to My Cellebrite. 


2. Click the link on the PhotoDNA Authentication dialog box to see the password, which you 
must enter on the PhotoDNA Authentication dialog box. 
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The rest of the process for running the Project VIC robust hash set against case evidence is the 
same as with other hash sets. For more information, see Hash Sets and File Signature 
Databases. 


C4ALl 


Categorizer For All, or CAAIL, is a tool used in the investigation of child exploitation media. Once 
all the necessary evidence in a case has been acquired, CAAIL can be used to quickly compare 
pictures and videos found in that evidence against an expansive database of known file hashes of 
child exploitation media. 


Inspector has CAAIL fully integrated and ready to use on cases involving OS X, Windows, iOS, and 
Android devices. Users can connect to a locally stored CAAIl database in MySQL format, or one 
that is remotely stored with SQL Server. (To access a C4All database stored on SQL Server using 
a Mac computer, an ODBC driver shipped with the Inspector installer is installed automatically 
when Inspector is installed.) 


To log into the C4All database, from the menu bar click Manage > CAALL. 


Manage CAAII 


Options 
Store files in DVD sized folders 


Ignore Category 


None 


In the C4ALl window, you can set whether to allow the images and videos to be exported from the 
case file into folders that are DVD-sized. Mark or unmark the checkbox for Store files in DVD 
sized folders. 


You may also choose whether a specific category of images or videos will be excluded from the 
export. In the Ignore Category field, select a category number or leave it set to None. 


The settings in the Manage CAAIl window apply to every case for this computer. 
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If there are multiple evidence devices (allocated or carved files), you must run C4All against each 
device separately. 


1. On the Media view in a case, select the evidence device to run CAAIL against. 
2. In the Component list, click Evidence Status. 

3. In the Content pane, click Run next to Known Files for the device. 

4. |n the Hash Sets window, mark the checkbox for CAALL and then click OK. 


Hash Sets 


Identify files from the following Hash Sets: 


Hash Set Status 
C4All 


Hashkeeper 2.0 (Known CP) 
Hashkeeper 2.0 (Suspected CP) 
Known OS X System Files Complete 


Cancel 


5. When the hashing process is complete, open the Media view for the selected evidence device. 
All media files (such as pictures, videos, and thumbnails} appear in the Content pane. 
6. Choose one of these options to select all items in the view. 


e Inthe menu bar, click Edit > Select ALL. 
e Use the keyboard shortcut for your computer to select all. 


Each selected item is in a yellow box. 


7. Open the context menu and then click Export > Export Data Model > CAAIL. 


B videos. ES Thumbnails B= combined J Audio + 


ave File Listing... 
Copy Path 
a Quick Look 


[32 Projectvic — 


5dO46b4792c29.. 707a — d2e&dcBb4e4b4.. 3362 
>  BlueBear LACE... 


= ML 
= Export Selected Rows > caa. 
Export Sel > EE 
Export Sel 


lection 
lected Location Data As > > 
Se —— MEC 


8. Select a folder to save the exported files to, and then click Export. 


Inspector exports the images, videos, and thumbnails in the specified C4All format and 
creates all the index files that are normally associated with C4ALL. 


The exported files are now ready to present to a trained child exploitation investigator. 
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Semantics21 


Semantics21 provides the LASERI suite of tools to examine images, animations, and videos. Once 


ima 


ges are brought into the tool, they can be assigned to one of these categories, 


0: Non-Pertinent 

1: Child Abuse Material (CAM) Illegal 

2: Child Exploitive (non-CAM] / Age Difficult 
3: CGI / Animation - Child Exploitive 

4: Comparison Images 

5: Uncategorized 


Inspector's integration with S21 allows users to complete these tasks. 


Export data in the S21 format. 

Import the data into an S21 tool. 

Use the S21 tool to set labels and assign category values. 

Connect Inspector to the S21 SQL Database [to see a list of S21 user databases]. 
Run Known Files for S21. 


Export Images and Videos 
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In Inspector, select the images and videos to export. 

In the menu bar, click Export » Export Data Model » S21. 

A folder is created with a name based on the case name and the date and time the files were 
exported. 


In the S21 export folder, movies are placed in an S21M folder and pictures are placed in an 
S21P folder. These folders contain an index file and subfolders containing the pictures and 
videos exported. The index files are named S21P Index.xml for pictures and S21M Index.xml for 
videos. 


In the S21 tool, choose S21P Index.xml or S21V Index.xml to import the files into the 
appropriate LASERI tool. Once the files are imported, they can be categorized within the 
LASERI interface. 
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Connect Inspector to the $21 SQL Database 


1. In the menu bar, click Manage » S21. 
2. Type your username and password. 


@ Manage S21 


MySQL Connection Options 


MySQL Server Address: Port: 


Ignore Category 
localhost 3306 


None v 


MySQL Login: 
bbt 


MySQL Password: 


Refresh list of MySQL Databases 


MySQL Database 
demos21 


Cancel 


3. Inthe Content pane, click Evidence Status. 
4. Inthe Known Files column, click Run for the items you wish to run the S21 dataset on. 


AB. Hash Sets 


Identify files from the following Hash Sets: 


| Hash Set Status 


$21 


Cancel 
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File System Information 


This chapter provides information about file systems that can be useful when you use Inspector. 


e Apple File System 
e Artifact Items 


Apple File System 


The Apple File System (APFS] replaced HFS+ as the default file system beginning with macOS 
10.13. APFS is much different than HFS+. APFS no longer defines a volume, rather it implements 
a container inside of which several volumes may be present. APFS was designed for solid state 
drives (SSDs) but can work with traditional drives as well. 


TFI Partition 


# 


Í 


APFS Container 


| 


! 


| a | 


APFS also uses Copy-On-Write, which means if you copy a file, the resulting copy will not 
duplicate the data on disk. Both inodes (original and copy) will point to the same original extents. 
Only when the copy is changed will new extents be allocated. 


The APFS container by default does not have a limit on the size or location of the volumes within 
it. Unlike traditional partitions on disk where sectors are allocated for each volume before they 
can be used, APFS allows all volumes to share a common pool of extents and they all report 
having total free space as the same. This also means data from all volumes is interspersed and 
volumes are not contiguous. Space in the logical container pool can be used by one to more 
APFS volumes. APFS Volumes grow and shrink by allocating unused blocks from the logical 
container pool and retuning them when files are deleted, and space is freed. Each APFS 
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container only knows about the blocks used by its own active files, and unallocated space is 
managed within the logical container pool. Because APFS volumes within a container are not 
traditional partitions, these volumes in the container cannot be individually imaged. 


If you choose to run Digital Collector Live on the target system, keep in mind that on macOS 
10.13.0 (and higher) while System Integrity Protection (SIP) is active, no user, even root can read 
the physical disk the system is currently booted from, the physical partition the system is 
currently booted from, nor the APFS container that holds the currently booted volume. This 
makes it impossible to image the physical disk. 


Adding APFS Evidence to Inspector 


APFS is very different than any other file system so it will appear differently than what is typically 
seen. Specifically, the APFS container uses pooled storage, which is available to all volumes 
within it, including unallocated space. Inspector will present the APFS pooled container 
highlighted with a grey box around the pooled volumes. The other volumes will appear normally. 
If a volume is encrypted, a locked icon appears next to the volume and (Encrypted] appears after 
the volume size. Encrypted volumes are automatically deselected. 


Add Evidence 


Attached / Mounted Disks E 28 APFS GoldMacBook 4096 withEncr disk0.E01 (EWFimage) Processing Options: 
Attached Mobile Devices Evidence ID: 28 APFS GoldMacBook 4096 withEncr. diskO.E01 - 001 Ej 28 APFS. GoldMacB....E01 (EWFimage) 


Files / Folders / Disk Images Preview © Triage Comprehensive 


= E 28 APFS GoldMac...Encr. disk0.EO1 Co 
4,0 KB 
DB Recovery 
gg Ptimary GPT Table 
16.0 KB File Signature Analysis. 
EFI System Partition (FAT32) i i 
e Qt Picture Analysis. 
Macintosh HD (Encrypted) Video Analysis. 
97.8 GB 
Process Archives 
Preboot (APFS) 
19.0 MB Process OCR Image Text 
Recovery (APFS) 
[n BER E calculate Hashes 
VM (APFS) Identity Known Files 
= 1068 
File Carving 
gg Unallocated (APFS) 
177.6 GB File System Journal Analysis 
Unallocated (HFS+) 
ipe Spotlight Parsing 
BOOTCAMP (NTFS) OS Event / Security Logs 
= 1881 6B 
Smart indexing 
is yp VSCs: BOOTCAMP (NTFS) 
{0 Selected, 2 Unselected, 0 Processed] Content Search (Bulk extraction) 
Unallocated i 
re Mail Parsing 
Activity Correlation 
Hibertil.sys / Pagefile.sys 
Calculate File Entropy 
Manage Passwords... 
Refresh Remove 1of1 selected Cancel 


Mark the check box next to an encrypted volume within the APFS container. A password prompt 
appears where you can enter a password or a recovery key to unlock the volume. 


e Enter Password or Recovery Key 


Password Hint: No Hint Available 


Recovery Key: - - - - - 


s$ 
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Because APFS uses pooled storage, deleted files cannot be carved from volumes. You can only 
carve from pooled storage, which means File Carving must be chosen for the unallocated space 
in the APFS pool during initial evidence ingestion. Data can be carved from volumes not within 
pooled storage at any time during the analysis. 


age after the 


ene Ba inspector Case File.inspector 


©) [5] oki B e 


Detalls For Gi Racer - Data B 


ter-200620.601 E summay Disk view 


© LZ. @ Racer - Data (Active) 


Device: Bennett-Computer-200520.E01 Evidence ID: —Bennett-Computer-200520.E01 - 001 
= | Volume: Racer- Data (Active) 
: Lind 
B & @soorcaup File System: APFS 
v keniviry => 
M Evidence Status 
* boot Status " 7 
Extended Information Artifacts 


mos File Count 173086 
Folder Count: 29057 


am 

contentsearcnes — EXTN us NEUEN Movies 
[s] 
mu 


Pool Container Size: 59.2 0B (63533190360 Bytes) 


INDEX SEARCHES Space Used Unformatted: 34042556416 


Graphics. 
INVESTIOATIVE NOTES. File System, Aves 
1dentitier: 6 

2019-00-29 20:23:20 (UTC) Emails 
2020-04-14 16:58:05 (UTC) 


2020-05-08 20:52:47 (UTC) 


317 GB (34042556416 Bytos) 
Documents 


Field. Value. 
Disk Images 


Archives 


MAC (AirPort Brem4380jon0): 
Dynamic 10: 


APFS Snapshot Parsing 


APFS was designed using Snapshots as a Bennett-Computer-200520.E01 (EWFImage) 

means for built in backup support. Snapshots Evidence ID: Bennett-Computer-200520.E01 - 001 
-on-wri - P ive MBR 

leverage the copy-on-write property of APFS to Goede 


provide “instant” backups of the entire state of 
an APFS volume. Snapshots can be mounted 
as read-only volumes that are exact copies of 
the file system state at the time they were Unallocated 
taken. However, Inspector does not need to 

mount the Snapshots in order to process them. 


n Primary GPT Header 
512 Bytes 


n Primary GPT Table 
16.0 KB 


EFI System Partition (FAT32) 
= 200.0 MB 


; Racer - Data (APFS) 


APFS snapshots are detected automatically = 31768 
and listed in the middle pane of the Add gj Snapshots: Racer - Data (APFS) 
. = [0 Selected, 4 Unselected, 0 Processed] 
Evidence window. t NK 
== 27.1 MB 

Below each Snapshot entry is an indicator of ers (ATS) 
the number of Snapshots selected, unselected, M 

== 2.0 GB 
and processed. By default, none of the ; 

ji fa) Ri (APFS) 

Snapshots are selected for processing. = 0465 


a Unallocated (APFS) 
14.5 GB 


; Basic data partition (NTFS) 
== 52.4 GB 


P VSCs: Basic data partition (NTFS) 
[0 Selected, 2 Unselected, O Processed] 


n Unallocated 
472.0 KB 
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You can expand APFS Snapshots. 


Add Evidence. 
Attached / Mounted Disks E Bennett-Computer-200520.E01 (EWFimage) 


Attached Mobile Devices 


Evidence ID: Bennett-Computer-200520.E01 - 001 


© J Bennett-Computer-200520.E01 


Files / Folders / Disk Images 
gg Protective mer 
512 Bytes 


Primary GPT Header 
512 Bytes 


Bi Primary GPT Table 
16.0 KB 
fp Unallocated 

3.0 KB 


EFI System Partition (FAT32) 
== 200.0 MB 


Racer - Data (APFS) 
m 31.7 GB 


Snapshots: Racer - Data (APFS) 
[0 Selected, 4 Unselected, 0 Processed) 


gj Racer - Data Snap 1 (APFS) 
317 GB 


Qj Racer - Data Snap 2 (APFS) 
317 GB 


Im cer ets Snap 3 (APFS) 
11.7 GB 


ww Racer - Data Snap 4 (APFS) 
317 GB 


Preboot (APFS) 


= 271MB 
a Recovery (APFS) 
= 500.7 MB 
E VM (APFS) 
a zoc 
Racer (APFS) 
a Stace 
I Unallocated (APFS) 
14.5 GB 
e Basic data partition (NTFS) 
= 524GB 
> jp VSCs: Basic data partition (NTFS) 


[0 Selected, 2 Unselected, 0 Processed] 
Unallocated 
472.0 KB 
Refresh 


Remove 1of 1 selected 
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Processing Options: 
Le Racer - Data (APFS) 


Preview @ Triage Comprehensive 


Extract Data 
DB Recovery 
File Signature Analysis 
Picture Analysis 
Video Analysis 
Process Archives 
Process OCR Image Text 
G calculate Hashes 


Identify Known Files. 


File System Journal Analysis 
Spotlight Parsing 

OS Event / Security Logs 

Smart Indexing 

Content Search (Bulk extraction) 
Mail Parsing 


Activity Correlation. 


Hiberfil.sys / Pagefile.sys. 


Calculate File Entropy 


Manage Passwords... 


Cancel 


Once a snapshot is expanded, select specific snaps to process. As snaps are selected, the 
indicator for that snapshot is updated. Like all other volumes listed, different processing options 
can be set for each Snapshot. Processing all Snapshots take a longer time, and they do not have 


to be ingested during initial evidence processing. 


APFS Snapshots are automatically enabled if Time Machine is enabled, even if no backup disk is 
connected. Snapshots are created approximately every hour, before each Time Machine backup, 
and before certain system updates. The Snapshot lifetimes depend on a number of factors, but 
they are generally available for about 24 hours. Older snapshots may be deleted if the disk is low 
on space. We have found that devices with unsuccessful Time Machine backups tend to retain 


snapshots the longest. 


EA Inspector Case File inspector. 


EVIDENCE c 
Y © Bl tenet Compiter200520 £01 | Name Date Created Date Modified 

Y B Racer - Dita > & O soorcaue 2009-07-14 02:38:56 (UTC). 2019-11-08 17:49:14 (UTC) 

€ G O ocer- Dota (Activo) | > ESO Racer 2019-10-08 16:07:18 (UTC) 2020-04-14 15:48:20 (UTC) 

© C Racer - Data op). | P {ED Racer - Data (Active) 2019-09-29 20:25:28 (UTC) 2020-04-14 1818405 (UTC) 

© d © Racor- Data (Snap 2) | BA © Racer - Data (Snap 1) 2019-09-29 20:28:29 (UTC) 2020-04-14 15:84:05 (UTC) 

BE O racer ¥ B© facer Data (Snap 2) 2010-09-29 20:28:20 (UTC) 2020-01-14 18:54:05 (UTC) 

€). © roorcaue Ba 2016-06-26 1:81:10 (UTO) 2016-06-24 10:81:10 (UTC) 


-28 21:04:09 (UTC) 2020-08-20 22:28:07 (UTC) 
2019-02-26 13:37:11 (UTC) 


2018-08-17 21:54:19 (UTC) 


v activity -V 21:84:19 (UTC) 


I Evidence Status 08-17 21:54:19 (UTC) 


tapori Satur > 2016-06-11 2:66:02 (UTC) 2020-05-20 22:80:00 (UTC) 
> 2018-06-11 223040 (UTC) 2018-00-11 223640 (UTC) 

Taos am 2019-09-28 09:0547 (UTC) 2019-09-28 03:08:47 (UTC) 
2019-10-07 18:0207 (UTC) 2019-10-07 18.0207 UTC) 

CONTENT SEARCHES > 2017-11-14 13:36:10 (UTC) — 2019-10-07 18:36:07 (UTC) 
> 2018-06-11 2216511 (UTC) 2016-06-11 2266: (UTC) 

INDEX SEARCHES am . 2017-14-14 12:28:34 (UTC) 2017-11-14 13:20:34 (UTC) 
2019-10-08 16:19:22 (UTC) 2019-10-08 16:19:34 (UTC) 

wwesmownvewors — ENHH > 2015-06-11 22:36:41 (UTC) 2020-02-18 18:42:19 (UTC) 
> fae! 2014-09-09 23:27:56 (UTC) 2018-10-03 18:31:30 (UTC) 

P i Aplications 2019-09-20 202329 (UTC) 2020-04-14 1549/42 (UTC) 

» loors 2019-08-24 22-2410 (UTC). 2019-08-24 22:240 (UTC) 

» atome 2019-08-24 22:044 (UTC) 2019-08-24 22:20:44 (UTC) 

> Bway 2019-09-29 20:24:24 (UTC) 2020-04-14 1549/46 (UTC) 


Field Value 


E Motadata — Q Location d Record 


* Cellebrite 


Date Accessed 
2019-11-05 18:4116 (UTC) 

2020-04-14 15:53:28 (UTC) 
2020-05-08 20:52:47 (UTC) 
2020-05-08 20:52:47 (UTC) 
2020-05-08 20:82:47 (UTC) 
2086-06-24 0:81:10 (UTC) 
2020-05-08 20:53:02 (UTC) 
18:56:34 (UTC) 
2018-08-17 21:54:19 (UTC) 


2020-02- 


2020-06-20 22:28:33 (UTC) 
2018-06-11 22:36:40 (UTC) 
2019-10-08 16:19:35 (UTC) 
2019-10-07 18:02:07 (UTC) 
2019-06-07 18:30:38 (UTC) 
2016-06-11 22:65:11 (UTC) 
207-114 13:20:94 (UTC) 
2019-10-08 16:19:35 (UTC) 
2020-05-08 20:52:44 (UTC) 
2018-10-03 18:310 (UTC) 
2020-04-14 15:88 07 (UTC) 
2019-10-08 16:19:58 (UTC) 
2019-10-08 16:19:34 (UTC) 
2020-04-14 15:87:47 (UTC) 


Date Added Version index Size Extension 


0 Bytes 
2015-06-11 23:44:44 (UTC) 2 
2018-10-03 18:31:30 (UTC) soks 
2018-10-03 18:31:20 (UTC) 0 Bytes 
2015-06-11 22:65:02 (UTC) 
2019-10-08 16:19:36 (UTC) 424 bytes 
2019-10-07 18:02:07 (UTC) aee 
2017-11-14 133619 (UTC) 
2018-06-11 22:86:11 (UTC) 
2017-11-14 19:28:34 (UTC) 
2019-10-08 16:19:36 (UTC) 


2018-08-11 22:36:41 (UTC) 


16MB bom 


2018-10-03 18:31:30 (UTC) 
2020-04-14 15:48:53 (UTC) 
2019-10-08 16:19:58 (UTC) 
2019-10-08 16:18:34 (UTC) 


2020-04-14 16:48:34 (UTC) 


Bo 


Data Interpreter 
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APFS on macOS 10.15 


Increased system protection was added in macOS Catalina 10.15. The operating system runs in a 
read-only system volume, separate from other files. When a system is upgraded to Catalina, a 
second volume is created, and some files may move to a Relocated ltems folder. 


The boot volume was effectively split into two pieces. On the Desktop it appears as one volume, 
but Looking at it via Disk Utility, it is readily apparent there are two volumes. 


eee Disk Utility 
D ~ + 89 @ © 
View Volume First Aid Partition Erase Restore Unmount Info 


Internal 


[3 masso 


[E MacssD - Data 


==  MacSSD 
S Volume + APFS (Encrypted) 


APE 500.07 GB 


External 
@ Used 88 Other Volumes Free 

10.97 GB 226.57 GB 262.52 GB 
Mount Point: i Type: APFS Volume 
Capacity 500.07 GB Owners: Enabled 
Available: 266.17 G8 (3.66 GB purgeable) Connection: SATA 
Used: 10.97 GB Device: disk1s5 

eee Disk Utility 

D ~ er Y [t] © 
View Volume First Aid Partition Erase Restore jnmount info 
Internal 
> . 
E Macssd == J MacSSD - Data = 
MacSSD - Data iik APF ne - APFS (Encrypted) 500.07 GB 
a : ; j 
1 ac RIO Y 
External 
© used © Other Volumes Free 
223.66 GB 13.89 GB 262.52 GB 

Mount Point: /System/Volumes/Data Type: APFS Volume 
Capacity 500.07 GB Owners: Enabled 
Available: 266.17 GB (3.66 GB purgeabie) Connection: SATA 
Used: 223.66 GB Device: disk1s1 


The volume name that appears on the Desktop appears in both volumes; the second volume has 
- Data appended to the volume name. For more information, see this topic provided by Apple: 
https://support.apple.com/en-us/HT210650. 
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You can also see this structure when the volume is processed in Inspector. This can first be seen 
when ingesting evidence with a macOS 10.15. 


Bennett-Computer-200520.E01 (EWFImage) 


Evidence ID: Bennett-Computer-200520.E01 - 001 


— Protective MBR 
512 Bytes 


— n Primary GPT Header 
512 Bytes 


— n Primary GPT Table 
16.0 KB 


m Unallocated 
3.0 KB 


— EFI System Partition (FAT32) 
= 200.0 MB 


f=) Racer - Data (APFS) 
"31.7 GB. 


= Snapshots: Racer - Data (APFS) 
[0 Selected, 4 Unselected, 0 Processed] 


In PED (APFS) 
= 5007 ME 
ang 

In AE (ABES) 


— n Unallocated (APFS) 
14.5 GB 


= Basic data partition (NTFS) 
== 524GB 


E VSCs: Basic data partition (NTFS) 
[0 Selected, 2 Unselected, 0 Processed] 


Unallocated 
472.0 KB 


This example shows a macOS computer with the volume name Racer. Evidence processing 
options can be different for the two volumes. User files and data are stored on the «Volume 
Name» - Data volume. When choosing processing options keep this in mind. 


ag 
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File System Information 


Once processed, the Details view shows different information for each portion of the volume. 
This is shown for the «Volume Name» - Data portion. 


1. Information about data contained in this portion of the combined volume 


Information about macOS system 


Details For: = Racer - Data $ 


E summary 
Device: Bennett-Computer-200520.E01 
| Volume: Racer - Data 


f File System: 


APFS 
Extended Information 

File Count: 173086 

Folder Count: 29057 

Pool Container Size: 59.2 GB (63533199360 Bytes) 

Space Used Unformatted: 34042556416 

File System: APFS 

Identifier: 6 


Root Filo Create Date: 


2 


2019-09-29 20:23:20 (UTC) 
Root File Modify Dato: 2020-04-14 15:54:05 (UTC) 
Root Filo Accossed Dato: 2020-05-08 20:52:47 (UTC) 


Space Used: 317 GB (34042556416 Bytes) 


Model: MacBookAirS,2 


Host Name: Josh-Bennetts-MacBook 


Serial Number: C02HX8D2DRVD 

macos Si 2015-06-11 23:46:54 (UTC) 
Time Ze Americ 

Lan en_US 


AirDrop Discoverable Mode: Everyone 


MAC (AirPort_Brem4360/en0): 7C:D1:C3:DC:C3:2F 
Dynamic IP: 192680122 


MAC (AppleThunderboltiPPort/em):  82:00:48:30:1F:80 


MAC (BCM5701Enet/en2): 40:6C:8F:44:C1:9F 


Information pertaining to just the <Volume Name> - Data portion 


G Disk view 


Evidence ID: — Bennett-Computer-200520.E01 - 001 


Artifacts 


X E | D: 


Graphics 


Disk Images Jg 


Archives 


Emails. 


This is shown on the Details view for «Volume Name». 


Details For: SO Racer. 


1. Information about the OS 
version and data contained 
in this portion of the 
combined volume 
Information pertaining to 


1 10 100 41000 10000 100000 1000000 
E summary I] disk view 
Device: Bennett-Computer-200520.E01 Evidence ID: Bennett-Computer-200520.E01 - 001 
Volume: Racer 
Mac OS X (1015.4) 
File System: APFS 
Artifacts 


Extended Information 


just the «Volume Name» 
portion 


File Count: 


Folder Count: 
Last File ID: 

Pool Container Size: 
Space Used Unformatted: 


During the examination, most of 
the user data will be found on 
«Volume Name» - Data. While 


Identifier: 


Root File Create Date: 


Root File Modify Date: 


Root File Accessed Date: 
Space Used: 


Mac OS X {10.16.4} 
380158 
108807 25 
1152921500312789574 
592 GB (63533199360 Bytes) E 
Graphics 11372 
APES 
LI 
2018-10-08 16:07:18 {UTC) 


there are pictures, videos, and 
other files on the <Volume 
Name> partition, they are related 
to applications and the operating 
system; they are not files 
created by the user. 
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2020-04-14 16:48:20 (UTC) 
2020-04-14 18:53:25 [UTC] 
10.4 GR (11174010880 Bytes) 
Documents 


Disk Images Į 
CHE EE B t 


100000 


August 2021 


Artifact Items 


These are the artifacts that Inspector can parse. 


e Spotlight Index 
e NTFS Access Control Lists 
e Cocoa Nanosecond Timestamp Format 


Spotlight Index 


Inspector can parse macOS Spotlight indexes. 
Spotlight is a system-wide search feature of 
macOS and the iOS operating systems. It allows 
users to quickly locate a wide variety of items on 
the computer, including documents, pictures, 
music, applications, and system preferences. 
Specific words in documents and in web pages 
in a web browser's history or bookmarks can be 
searched. It also allows users to narrow down 
searches with creation dates, modification 
dates, sizes, types, and other attributes. 


You can choose to run the Spotlight Parsing 
option in the Add Evidence window or in the 
Evidence Status pane. 


Spotlight data is parsed into multiple locations 
in Inspector. 


e Spotlight sub-view in the System view 
e Inthe Actionable Intel view 
o Spotlight Search Shortcuts in the 
Search sub-view 
o AirDrop artifacts in the Downloads 
sub-view 
o recently accessed files in the File 
Knowledge sub-view 


For more information, see these topics. 


e System View 
e Actionable Intel View 


i; Cellebrite 


Inspector User Guide 


Processing Options: 


rad Bennett-Computer-...0.E01 (EWFImage) 


Preview Triage Comprehensive 


Extract Data 
DB Recovery 

File Signature Analysis 
Picture Analysis 
Video Analysis 

Calculate Hashes 
Identify Known Files 
File Carving 

| File System Journal Analysis 
OS Event / Security Logs 
Process Archives 
Smart Indexing 
Content Search (Bulk extraction) 


Mail Parsing 


Hiberfil.sys / Pagefile.sys 


o Quick Scan Deep Scan 


Calculate File Entropy 


Manage Passwords... 
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The Spotlight index items can also be located in the Metadata sub-view of the File Content view 
for any item in a macOS or iOS volume. All of the items will exist under the Spotlight heading 
within the metadata. There is a lot of information within this heading, some of which exists in the 
file itself as well as within the file's own metadata. However, there can also be much more 
useful information, such as dates and times. 


Def 87) - Racer - DaafUsecsijoshiDocuments/2019-Mustang-Bulit-7iog 


In addition to the Metadata sub-view for Spotlight indexes, you can filter on these pieces of 
information within the Filter view. 


NTFS Access Control Lists 


File system permissions in NTFS are controlled with Access Control Lists [ACL], which are 
ordered lists of ACEs (Access Control Entries). Each user logged onto the system holds an 
access token with security information for that logon session. The system creates an access 
token when the user logs on. Every process executed on behalf of the user has a copy of the 
access token. The token identifies the user, the user's groups, and the user's privileges. A token 
also contains a logon SID (Security Identifier) that identifies the current logon session. 


Each ACE in an NTFS ACL contains these items. 


e ASID (Security Identifier] that identifies a particular user or group 

e Anaccess mask that specifies access rights 

e Aset of bit flags that determine whether or not child objects can inherit the ACE 
e A flag that indicates the type of ACE 


ACEs are fundamentally alike. What sets them apart is the degree of control they offer over 
inheritance and object access. There are two types of ACEs. 


e Generic type that are attached to all securable objects 
e Object-specific type that can occur only in ACLs for Active Directory objects 
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In the Metadata sub-view, you can see the ACE entries for each type that exists for the selected 
file. 


EVIDENCE -M 
Y © Bbsewettcompuer200820:00 — || Name Date Created Date Modified Date Accessed Date Added Version index size Extension Content 
uITSP > Bi cookies 2018-06-21 17:52:17 (UTC) 207-00.022:1000 (UTC) 2019-11-05 38:25:37 (UTC) 
Racer - Osta Active) > desktop 2015-06-12 11:47:53 (UTC) 782557 (UTC) 2010-11-05 38:38:11 (UTC) 
E © racer - Dota (Snap) > (Documents 2015-06-12 1547:53 (UTC) 2012-2228 1698552 UTC) 2019-11-05 18:27:37 (UTC) 
O M © racer - ata (Snap 2) Y Bioownioaes 2015-06-12 114753 2018-07-1219:33'S5 (UTC) 2019-11-05 1625'59 (UTC) 
D Orre M oansorsosazo23 ipo 2017-03-03 41808 UTC] 2017-03-03 14:18:07 (UTC) 2018-05-21 18:02:29 (UTC) 129.0 KB jpg 


v & Li soorcame 9:49 (UTC) 2077-03-30 17:35 


26 3925917 01 mebipg. zor (UTC) 2018-08-21 18:02:29 (UTC) 6728 ipg 
O È © so0TCAMP (active) 


T © eoorcave vsem 


2828y" 
2017-08-26 22:45:47 (UTC) 2017-04-20 18:57:08 (UTC) 2093 à mpg 


[E The Beatles - Live in Paris 985-pe_ 2017-08-20 
v activity 5 The Cranberries - Zombie mod Bytes m3 


I Evidence Status 


9 export status 


Biher Bstrings Preview faeces @ Location J Record © omr B 
mos ma Fold. Value 
NTFS Access Control Entry (2) 
CONTENT SEARCHES a Access Masi ooitoitt 
ACE Type: Access Allowed 
INDEX SEARCHES Ld Append oma: True 
Field. Value Change Permissions: True 
Bamm: 2178354 Delete: True 
Flasystom... 104360 recate: Tue 
Name: BMW.M2-STRIPES jpg Name: administrators 
Pathe [UsetsfoenDownloade/EMW-2-S Rese Atibites True 
Sve: 182247 Read Data: Tre 
Sitwondies 182247 Read Extended Attriovtes: Tr i 
Extension: jog Read Permissions: Tue 
content SiO 532-544 
Date Creat... 2017-03-03 20:08:28 (UTC) Smetrorioe: Tre 
Date Chana. 2018-04-10 15:66:43 (UTC) Take Oncerthi True 
Date modi.. 2017-03-03 20:08:29 (UTC) Wine aroutes: True 
Date Acce.. 2018-06-2118:02:29 (UTC) ite Data: Tre 
Flasystom.. UTC Write Extended tributes: True 
‘siype: NTFS NTFS Access Conte Entry (3) 
Directory no Access Mase: oono 
Visti: Yes ACE Type: Access alowed 


(ef 44) - [EOOTCAMP/USersjsh[Dowricads EMW-M-STRIPES log 


Cocoa Nanosecond Timestamp Format 


From time to time, Apple changes storage formats for certain things. The Cocoa format for 
timestamps was introduced in iOS 11 and macOS 10.13. Instead of the previous 9 digits, Cocoa 
timestamps are 18 digits for some date columns. Inspector supports these longer nanosecond 
timestamps when they are encountered. 


x Æ Strings E Preview Metadata @ Location dh Record © wer [B 

"OE Enter a valid sqlite query or double-click a table in the lst to the left. ps RN RSEN 

-SqiteDatabaseProperties Y siring 

message urea 460076254000000000 

site sequence utes 285 

pet unt. error date date read date delivered is deli! v pate/rime 

aa ceaB-.. 0 456815263000000000  — 455815265000000000 — 0 1 ‘Chroma 

handle Cü3B-.. 0 456815309000000000  455815367000000000 456816345000000000 — 1 Cocoa Webkit 

eat aimee CB3B-.. 0 456815384000000000 455815386000000000  455815386000000000 — 1 Cocoa Nanosaconds 2015-07-31 22:67:94 (UTC) 

chat handle join Cü3B-.. 0 456815547000000000 «455824751000000000 455815505000000000 — 1 pos "aem 

SA C838... 0 460062095000000000  460471769000000000 ^ 46047:76900000000 — 1 I| mene 3058-12-04 15:56:40 (UTC) 

deleted messages 460076254000000000. 1 Firefox 

sync deleted messages. CBaB... 0 460471778000000000 — 0 o o T 

message processing task CB3B-.. 0 ‘as5a1aa0s000000000 o o o ore 1899-12-30 00:00:00 (UTC) 

sync deleted chats CB3B-.. 0 ‘465414305000000000 o o o osx 

sync. deleted attachments CB3B-.. 0 495414306000000000 o D o Unis 

n C838... 0 ‘465414306000000000 o D o TA 

pup cBaB-.. 0 464702715000000000  464742968000000000  464742968000000000 — 1 8 bit signed 480076254000000000 
case... 0 464743030000000000 464743062000000000  464743062000000000 — 1 Bbiunsigeed —— 460076254000000000 
cm. n anazaanrinnannnnnn a ^ 1 


Lite Enaian [Bj 
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Troubleshooting 


This chapter provides these topics about troubleshooting for Inspector. 


e [he Debug Console 
e Other Issues 


The Debug Console 


Inspector may on rare occasion “hang” or unexpectedly quit. If this happens, relaunch Inspector, 
and then get the Dongle ID from the About Inspector window. 


e On Mac computers, in the menu bar, click Inspector > About Inspector. 
e On Windows computers, in the menu bar, click Help > About Inspector. 


When you contact Technical Support, you will need the Dongle ID. For more information, see 
Getting Support. 


The Debug Console also opens in the lower left corner of the screen. You may open the Debug 
Console before you open a case to see more information that may be of interest. 


There are several commands for the Debug Console that may yield additional troubleshooting 
information. Before you run and attempt to troubleshoot an Inspector process, you must enable 
verbose mode. 


Note: Inspector runs much slower than usual when verbose mode is on. 
Enable Verbose Mode 


e Inthe lower left corner of the Debug Console, type verbosemode. 


eo Debug Console 


verbosemode| 


294 


August 2021 Inspector User Guide 


The Debug Console window shows additional information. 


eo Debug Console 
Command received: verbosemode 

VerboseMode is ON 

Command executed: verbosemode 


These are additional Debug Console commands. 


Command Description 
systemlog Save the debug log to the console or system log 
logfile Save the debug log to a file named /nspector Debug Log.txt on the Desktop 
verbosemode Enable verbose mode debugging 
watchmemory Display Inspector objects’ memory usage in real time 
memused Show how much memory is currently in use 
objects Display all the objects Inspector is using 
objectcount Show the number of objects Inspector is using 


Errors appear in red font in the Debug Console. For example, the text DiskProcessor is 
Restarting may appear. While this is technically an error, there is no problem. DiskProcessor 
restarts itself in the event of an error, and this information is shown in the Debug Console. 


eo Debug Console 

592999934 /12bddBubu /b3444bgeudcbtBd44ub5a /292840533 /12bd3ubH /b3ad4bSeudcbtadadubpsa . sdb 
DiskProcessorShell: /Rpplications/BlackLightX 2815X Release, 1/BlackLight.app/Contents/ 
Resources /Mac/diskprocessor /diskprocessor --mode-DeviceProperties --devicelD=Not Available 
--deviceClass-i0S --dbFi Lez /Vo Lumes /TRNG_2014/i0S\-Dev ices /Bennett. 20140328. iPhone / 
Bennett. 14*-887-8381. 2X- iPhone .BlackL i ght/Parti tionz/ 

59280953371 2bd80607b3404b8e9dcő f8d448b5a /5902809533712bd80607b3404b8e9dc6 f8d440b5a . sdb 


DataNormalizer.Run execution time: 00:00:05 (hhimmiss) 
(Facebook ) 
DataNormalizer.Run execution time: 00:00:01 (hh:mm:ss) 


(Foursquare } 

Error number: Ø. Stack Trace: RuntimeExceptionErrorNumberGetter 
dictionaryValueGetter 

Dictionary.Value%v%o<Dictionary>y 

JSONI tem.Chi LdXo«JSONI tem»Xo«JS0NI tem>s 
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Other Issues 


Inspector may encounter files that cause the application to “hang” or close unexpectedly. Logs 
created as a result of these responses are very useful during the troubleshooting process. If 
possible, please have these logs available when you contact Cellebrite Technical Support. 
Unfortunately, logs are often not created, and determining the exact cause is difficult. 


Exception Errors 


When an exception error occurs, Inspector shows an error alert. 


n Oops! This is embarrassing, an error has occurred. 


Inspector has encountered an error. We apologize for the inconvenience. Please click on the "Report..." button to send this 
to Cellebrite so that we can fix it as soon as possible. 


Although it may be possible to continue, it is advisable to quit and restart. 


Type: ThreadAccessingUIException 

Message: A thread has attempted to manipulate a user interface element. This can only be done from the application's main thread. 
Stack: 

REALbasic. UlTrap 

Window. | Exit96960«Window» 

rbframework.dylib$3143 

rbframework.dylib$3119 

RuntimeUnlockObject 

rbframework.dylib$1411 

.pthread body 


Report... Continue 


If this happens, click Report. This sends the error report to Cellebrite so we can attempt to fix 
the problem as soon as possible. 


If you would like our support team to contact you by email for assistance and follow up, type your 
contact information in the Name and/or Email field in the Problem Report window. In the 
Comments field, please include any information about what tasks were being performed when 
the error occurred or provide steps so that we can attempt to recreate the error during the 
troubleshooting process. 


Database Errors 


The deleted SQLite record recovery process can cause a database error, more often on a 
Windows analysis computer than on a Mac. You can remedy this issue on the Options tab in the 
Preferences window by unmarking the checkbox for Recover Deleted SQLite Records. For more 
information, see Inspector Preferences or Options 


This prevents Inspector from attempting to recover deleted SQLite records. 
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If disabling this option does not remedy the issue, open the Debug Console, issue the verbose 
mode command, and repeat the action undertaken prior to the crash. 


Searching container files such as .tar and .zip files can also cause issues. If this happens in a 
case when deep search has been enabled, you can disable deep search to prevent Inspector 
from searching inside a container or compound files. However, you will have to manually extract 
and examine container or compound file types. 


Locating Partitions 


Sometimes Inspector may not automatically locate a disk image, disk image partition, or the 
correct disk image partition. This problem often occurs if the GUID, Apple partition map, or the 
Master Boot Record has been wiped, though the partitions remain present. You can remedy this 
by either extracting the partitions and then adding the extracted partitions back to the case as 
separate devices, or by adding a new partition to the image file. 


1. Atthe top of the Component list, click Add. 

2. Navigate to the disk image and click Open. 

3. In the Add Evidence window, open the context menu from the image file name and click Edit 
Partitions. 
The Partition Editor window appears with each volume's start and end sector information. 


Partition Editor 


Name First Sector Last Sector Highlight Sector: 0 
PN Te is 900000000: | 33C@ BEDA BCAG 7C8E COBE D8BE 007C 
Recovery HD 117597144 118866687 90000000t: | BFOA 0689 0002 FCF3 A450 681C O6CB 
BOOTCAMP 418867968 478255871 900000001C: | FBB9 0400 BDBE 0780 7E00 007C OBOF 
0000000024:  850E 0183 C510 E2F1 CD18 8856 0055 
0000000038: C646 1105 C646 1000 B441 BBAA 55CD 
9000000046: | 135D 720F 81FB SSAA 7509 F7C1 0100 
0000000054: 7403 FE46 1066 6080 7E10 0074 2666 
9080000062: | 6800 0000 0066 FF76 0868 0000 6800 
0000000070: | 7C68 0100 6810 00B4 428A 5600 8BF4 
900000007E: | CD13 9F83 C410 SEEB 1488 0102 BBOO 
000000008C: 7C8A 5600 8A76 018A 4E02 BAGE 03CD 
:| 1366 6173 1CFE 4E11 750C 807E 0080 
00000000A8: OF84 BADO B280 EB84 5532 E48A 5600 
9000000086: | CD13 5DEB 9E81 3EFE 7D55 AA75 6EFF 
90000000C4: | 7600 E88D 0075 17FA BOD1 E664 E883 
9080000002: | 0080 DFEG GOE 7CO00 BOFF E664 E875 
0000000050: | 00FB B800 BBCD 1A66 23CO 7538 6681 
00000000EE:  FB54 4350 4175 3281 F902 0172 2C66 
90000000rC: 6807 BB00 0066 6800 0200 0066 6808 
9000000: 0000 0066 5366 5366 5566 6800 0000 
0000000118: 0066 6800 7CO00 0066 6168 0000 07CD 


J. 


4. In the bottom left corner of the Partition Editor window click + [add]. 
A new partition entry appears. 

9. Under the name column, type the new partition name. 

6. Under the First Sector and Last Sector columns, type the partition's start sector number 
and end sector number, respectively. 

7. Click Apply. 


Inspector recognizes the new partition, displays it in the Evidence section of the Component list, 
and makes partition data available for analysis. 


If a problem with Inspector persists, please contact Cellebrite Technical Support. For more 
information, see Getting Support. 


23." Cellebrite 297 


Version 10.4 Appendix 1 - iTunes Precautions 


Appendix 1 - iTunes Precautions 


All of these precautionary procedures are highly recommended for the analyst to remain in full 
control of the computer. If any application auto-launches while a device is attached, the 
application may cause adverse effects to evidence. 


To prevent inadvertent data writes to an evidentiary iOS device, you must prevent iTunes from 
launching when an iOS device is attached to an analysis machine. The methods for doing so 
differ depending on whether the iTunes application has been previously launched under the 
current user account on the analysis computer. 


If iTunes has been launched under the current user account on the analysis computer, before 
you attach an iPhone to the analysis computer, you must disable the iTunesHelper application. 
This application launches iTunes automatically when an iOS device is attached to the computer. 
Disabling this application prevents iTunes from launching. 


Disable iTunes on a Mac Computer 


1. Launch iTunes. 
2. Atthe top of the screen on the menu bar, click iTunes » Preferences. 
3. Click Devices. 


Devices Preferences 
(Qx 
Devices Advanced 


[i] 


General Playback Sharing Store Parental 


Device backups: 


Bobby's iPhone 5/20/11 3:58 PM 
Josh Bennett's iPhone 3/4/11 4:53 PM 
Josh's iPod Touch 12/16/09 8:55 AM 
iPhone & Today 7:37 AM 


Delete Backup... 


(V Prevent iPods, iPhones, and iPads from syncing automatically 
|_| Allow iTunes audio control from remote speakers 


iTunes is not paired with any Remotes Forget All Remotes 


? ( Canel | [wok 


4. Markthe checkbox for Prevent iPods, iPhones and iPads from syncing automatically, and 
then click OK. 
5. Onthe menu bar, click iTunes » Quit iTunes. 


Next, disable the iTunesHelper application to prevent the iTunesHelper application from 
automatically launching during login. 
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Permanently Disable iTunesHelper on a Mac Computer 


Click anywhere on the Desktop. 

On the menu bar, click Apple » System Preferences. 

Click Users & Groups. (On versions of OS X earlier than Lion, click Accounts.) 
On the preferences window, click Login Items. 

In the Hide column, mark the checkbox for iTunesHelper. 


CM SEN DO IN 


( Password METTET 


These items will open automatically when you log in: 
Eg B iTunesHelper Unknown 1 
V steam Application 
9 gfxCardStatus Application 
®© Snapz Pro X Application 


@ Alfred Application 
A VMware Fusion Start Menu Application 
12 Dropbox Application 


To hide an application when you log in, select the checkbox in the Hide 
column next to the application. 


6. Below the list, click - (remove]. 
The iTunesHelper application is removed from automatic login items list. 


Temporarily Disable iTunesHelper on a Mac Computer 


1. Launch the Activity Monitor application, which is located here: 
/Applications/Utilities/Activity Monitor. 
2. Inthe Activity Monitor menu, click View > My Processes (if it is not already selected). 
3. Inthe Filter field, type iTunes Helper. 
The iTunes Helper application process is isolated. 
eoo Activity Monitor (My Processes) 


©|\|@)||*-~ Memory | Energy | Disk | Network | Qr itunes He! 
[Process Name | KH CPU CPU Time Threads Idle Wake Ups PID User 
r 0 270 


4. Select the iTunes Helper application. 
5. Inthe top left corner of the Activity Monitor window, click Quit Process (the stop sign with an 
X in it) and then click Quit. 


The iTunesHelper application is disabled, and iTunes will no longer automatically launch when 
an iOS device is attached to the analysis computer. 


You can reactivate iTunesHelper. Either locate the application and manually launch it, or add it 
back to the list of login items and then log out and back in. The iTunesHelper application process 
appears in the Activity Monitor process list when it is active. For recent versions of iTunes on a 
Mac, open this folder in Finder to locate the iTunesHelper application: 
/Applications/iTunes/Contents/MacOS/. 
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Disable Auto-Launch of Camera-Related Applications on 
Mac Computers 


OS X features a running daemon named PTPCamera. This daemon checks for the connection of a 
camera device, and most iOS devices include camera functionality. In the default configuration of 
OS X, the Image Capture application launches when a camera device is connected to the system. 
Image Capture has an option to stop auto-launch when a specific device is connected, but it does 
not offer a way to control the connection of new camera devices. 


iPhoto, however, offers the ability to control auto-launch for all camera devices. In fact, with 
iPhoto, the user can select a preference to never auto-launch any camera-related application, 
including Image Capture, when camera devices are attached. 


1. Tosetthis preference, open the iPhoto application and click iPhoto » Preferences. 
The iPhoto General preferences window appears. 
2. In the Connecting camera opens field, select No application. 


A specific key in the user's Library/Preferences folder is set, stopping applications related to the 
camera function of any camera device. 


Disable iTunes on a Windows 10 Computer 


1. After launching iTunes, in the menu bar, click iTunes > Preferences. 
2. Onthe General Preferences window, click Devices. 
3. Mark this checkbox: Prevent iPods, iPhones and iPads from syncing automatically. 


fg Devices Preferences 


> Ba © UE. 
Store Parental | Devices 


Gererd  Puyback Sharing Advanced 


Device backups: 


¥ Prevent Pods, Phones, and Pads from syncing sutomatically 
/\Warn when more han S% ~ of the data on this computer mil be changed 


Tunes is not pared with ary Remotes 


Reset Sync Mstory 


4. Disable the iTunesHelper application to prevent it from automatically launching during login. 
a. Open the Task Manager, and on the Startup tab, disable iTunesHelper. 
b. Onthe Processes tab, right-click on /TunesHelper.exe, and then click End task. 
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Disabling Windows AutoPlay features 


AutoPlay is active on Windows 10 by default. It does not appear to automate anything with iOS 
devices that are attached, but it is best practice to disable it. 


For more information, see Disabling Windows AutoPlay in System Settings on Windows 10 
Computers. 
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Appendix 2 - EWMounter 


Inspector ships with a separate E01 forensic image mounting application that allows examiners 
to mount E01 image files on a Mac computer. You can save a lot of time by mounting a forensic 
image as a connected device and browsing the directory structure before acquiring data from 
the image file. Mounting an E01 forensic image file is also helpful in the course of a forensic 
examination of Mac computers, because you may be able to open non-native application files 
that cannot be opened from within Inspector. 


Inspector supports EWMounter on macOS up to 10.157. 


On Mac computers running macOS 10.13 and higher, when EWMounter is run for the first time, 
this warning appears. 


ce EWMounter 
Mount Unmount Verify Hash 


Important information for systems running macOS 10.13 and higher 


macOS High Sierra 10.13 introduces a new feature that requires your approval before 
loading newly-installed third-party kernel extensions (KEXTs). This feature enforces that 
only kernel extensions approved by you will be loaded on a system. The load request is 
denied and macOS presents the alert shown: 


System Extension Blocked 

5 6 A program tried to load new system extension(s) 
signed by "BlackBag Technologies, Inc.”. If you want 
to enable these extensions, open Security & Privacy 
System Preferences. 


OK 


This prompts you to approve the KEXT in System Preferences » Security & Privacy which 
will be automatically opened for you. 


Click OK. The Security & Privacy tab in the System Preferences window appears. Click Allow. 
eo < EH Security & Privacy Q 


Filevault Firewall Privacy 


A login password has been set for this user Change Password... 


Require password | 5 minutes after sleep or screen saver begins 
Show a message when the screen is locked 


v| Disable automatic login 


Allow apps downloaded from: 


System software from developer "BlackBag Technologies, Inc.” was Allow 
blocked from loading. 


= 
= Click the lock to make changes. ? 
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It cannot be run from a 


To launch the EWMounter application, double-click the application icon in the 
/Applications/Inspector folder. The EWMounter application window appears. 


EWMounter 


O © © 


Mount Unmoun t Verify Hash 


Mounting Options 


To mount an E01 image file click Mount. Navigate to the E01 file and click Open. The Mounting 
Options window appears. 


ee EWMounter 


o0 e 


Mount Unmoun t Verify Hash 


Mounting Options 
_ Virtualize Device 


Does not mount partitions 


hT12 E 


macOS 10.13.X and higher 


cance! 


To mount the file [and partitions} normally, unmark the Virtualize Device checkbox. Under most 
circumstances, the Virtualize Device checkbox should not be marked. 


If the E01 file is damaged, you can create a file system entry without mounting the E01 file by 
marking the Virtualize Device checkbox. You can mount the E01 file as a virtualized device to 
create a file system entry, and then run the ‘dd’ utility (convert and copy), or other disk recovery 
tools. 
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On macOS 10.13 and higher, the Set Block Size option is available. This lets you set different 
block sizes based on the type of image. Advanced Format hard drives ship with 4k sector sizes, 
which do not mount properly with a 512 (default) block size. To properly mount such an image, 
mark the Set Block Size checkbox and choose a size, then click OK. Available sizes are 512, 4096 
and 8192. 


A block size of 4096 should be selected for images of a 2015 MacBook, 2015 MacBook Air, and 
any Mac model shipped with an SSD in 2016 and later. 


EWMounter opens and mounts the E01 image with the options you set. 


ey fail to launch 


On the left side of the EWMounter window, the mounted E01 file shows a green dot to the left of 
the file name. Select the E01 image file name. On the right side of the EWMounter window under 
Volumes, the E01 image file partitions display along with the image file's MD5 and SHA1 hash 
values. 


ee EWMounter 


O © 


Mount Unmount Verify Hash 
cfreds. 2015 data leakage pc.EO1 Image file: MacHD:Users:drew:TEST DATA:CFREDs:cfreds 2015. data leakage pc.EO1 
System Reserved, Untitled Device Entry: /dev/disk2 
Device Size: 21,474,836,480 (20.00 GBs) 


Volumes: 
System Reserved 
Untitled 


MD5: a49d1254c873808c58e6f1bcd60b5bde 
SHA1: afeSc9ab487bd47a8a9856b 137 1¢c2384d44td785 


Not all E01 files have a SHA1 hash value. If an E01 image file does not have a SHA1 hash value, 
only the MD5 hash value appears. 
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Verifying MD5 and SHA1 Hash Values 


To verify the E01 image MD5 and SHA1 hash values in EWMounter, click Verify Hash. 


MD5: a49d1254c873808c58e6f1bcd60b5bde 
SHA1: afe5c9ab487bd47a8a9856b137 1c2384d44fd785 


Verifying: Ga 
If the hash verification succeeds, (Verified) appears. If the hash verification fails, (Failed) appears. 


MD5: a49d1254c873808c58e6f1bcd60b5bde (Verified) 
SHA1: afe5c9ab487bd47a8a9856b137 1c2384d44fd785 (Verified) 


Mounted E01 image files also mount as part of the file system on the analysis computer and are 
visible as a mounted device on the Desktop and in a Finder window. This example shows 
mounted E01 image file partitions in the EWMounter window as they appear mounted on the 


Desktop. 
Image file: MacHD:Users:drew:TEST 
e DATA:CFREDs:cfreds 2015 data leakage pc.EO1 
Device Entry: /dev/disk2 
Device Size: 21,474,836,480 (20.00 GBs) 
Volumes: 
System Reserved 
Untitled 
MD5: a49d1254c873808c58e6f1bcd60bSbde 
SHA1: afe5c92b487bd472829856b137 1c2384044fd785 
—— | Å=] 
System Reserved titled 
* 
e's 2 
ee 
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Previewing a Mounted E01 Image File 

You can preview a mounted E01 Image File in Finder and in Inspector. 

Previewing in Finder 

A mounted volume may be opened in the Finder and the contents previewed as if the volume was 
physically attached to the analysis system. Volumes are mounted with read-only permissions 


and are therefore write-protected, as indicated in the lower left corner of the window that 
displays a small pencil symbol with a line through it. 


DEVICES 
© Remote Disc 
[| MacOSX PS 
[O MacOSS = 
[| MacOSXD PS 


ms 


This example shows the contents of a mounted volume in a Finder window, and confirms the 
volume is read-only. 


eoo |_| MacOSX) 
Ge) — £llEimim)(*-J(e-)(z&)(ei-) BG - "We 
Back View Action Arrange Share Label Training Manuals Product User Guides iPhoto Libraries 
DEVICES 
o Remote Disc d. 7 
t3 Ly 
[O macosx E un E 
O Macoss a 
E] macosx) a 
000 0007.JPG 000 0017JPG 000 0019.JPG 
E MacOSXD ES 
a - 
pd 0] 
e. Lj 
XT 
000. 0020.JPG 000 0021JPG 3aKyCKM.txt 
|| MacOSX) 
ot 6 items xi) 
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Previewing in Inspector 


To preview the contents of an E01 file in Inspector, mount the E01 file using EWMounter. After 
the E01 file is mounted, follow the same process as for adding any attached device to a case in 
Inspector. For more information, see Adding Evidence to a Case. 


In the Add Evidence window, to the left of the mounted E01 disk image or partitions, mark the 
checkboxes. In the right pane of the Add Evidence window, select the options for ingestion and 
processing, and then click Start to begin adding the attached E01 to the case. 


For more information, see Managing Case Evidence. 


Shadow Mounting an E01 Image File 


E01 image files sometimes contain partitions that do not mount cleanly. These partitions are 
marked as “dirty” in the file system (the ‘dirty bit’ is ‘flipped’). A File System Consistency Check 
(FSCK) must be run to successfully mount the file. 


Running an FSCK check normally causes writes to be written to a volume. EWMounter handles 
this issue automatically by shadow mounting the volumes and running the FSCK check on the 
shadow volume. 


Shadow mounting an E01 image file does not affect the original E01 forensic image in any way. 
No writes are made to the E01 image, so no changes are made to the forensically sound image. 
However, the shadow file does have Read-Write permissions, so changes can be made to it 
during the FSCK check. 


The image file failed to mount cleanly. 


a EO! A 
It is likely the image was not cleanly unmounted prior to 
= imaging and the dirty flag is set. 


Would you like to try and Shadow Mount this image? If so the 
Shadow mount will be Read/Write but the image will not be 
altered in any way. 


(stop) (Shadow Mount) 
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Shadow mounted volumes display with a Shadow Mounted as R/W label in red text to the right of 
the volume name. 


000 


Mount Unmount 


EWMounter 


Verify Hash 


macwd.e01 
e MacOSXJ, MacOSX, MacOSXD, 
MacOSS 


Image file: BL Test Data:QA Images:Dirty DMC.EO1 


Dirty DMG.E01 
Part 1, Part 2, Part 3 


Volumes: 

Part 1 (Shadow Mounted as R/W) 
Part 2 (Shadow Mounted as R/W) 
Part 3 (Shadow Mounted as R/W) 


MDS: 9fdc26a782af2943036b1cbe3b8603a2 
SHA1: b3bb61dc2ee2e21d79dd66e6cc6250b986ba7d7b 


The screenshot below shows two files (disk2.txt and disk3.txt] on a shadow mounted volume as 
seen in Finder. There is no pencil icon [read-only] symbol in the lower left corner of the Finder 
window. 


eoo _ Part 1 
«ir Glaf) (a)Je)  (9-) (e) (*-) Q 
Back View Arrange Share Dropbox Quick Look Action Search 
Ee SS X — - <?xml versionz"1.0" encoding-"UTF-8"?» 
SHARED disk3.txt <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
- History.plist "http://www.apple.com/DTDs/PropertyList-1.0.dtd"» 
DEVICES SEC version="1.0"> 
© BBMBP062 <key>Bootable</key> 
<false/> 
Bj Part 1 4 <key>BusProtocol</key> 
= <string>Fibre Channel Interface</string> 
| Part 2 e <key>CanBeMadeBootable</key> 
73 <false/> 
O Part 3 C <key>CanBeMadeBootableRequiresDestroy</key> 
B BOOT a <false/> E 
O MacOSX) a Name disk2.txt 
x Kind Plain Text Document 
C] macosx m Size 2KB 
O MacOSXD * Created Wednesday, February 23, 2011 4:45 PM 
BD MacOSS a Modified Wednesday, February 23, 2011 4:45 PM 
— Last opened Wednesday, February 23, 2011 4:45 PM 
—) BL Test Data a 


1 of 3 selected, 331.4 MB available 


Because the shadow file has read-write privileges, some file information, such as dates and 
times, may be inaccurate. Time stamps may represent the time the examiner shadow mounted 
the image and the time the FSCK check occurred, and not the original image file timestamps. An 
examiner can add or delete files to and from a mounted shadow file. 
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Unmounting an E01 Image File 


When the E01 volumes are no longer needed, you can unmount the volumes in the EWMounter 
application 


Select the E01 image file. In the top left corner of the window, click Unmount. On the left side of 
the EWMounter application window, the mounted E01 file displays with a red dot to the left of the 
file name, indicating the image file is unmounted. 


000 EWMounter 


© 


Mount Unmount Verify Hash 


macwd.e01 
e MacOSXJ, MacOSX, MacOSXD, 
MacOSS 


Dirty DMG.E0O1 


If the volume does not fully unmount, check to see if the volume is still in use. Quit any running 
applications associated with the image and unmount the volume from the Finder application. If 
the EWMounter application is quit while still having mounted filesystems a warning appears, 
asking if those devices should be unmounted or ejected. 


EOI Unmount/Eject devices. 
C Do you want to unmount or eject all of the currently 
(GS listed EO1 images? 


No Yes 
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Extracting RAW images from EWMounter 


You can extract the raw image from within the attached E01 file. 


On the left side of the EWMounter window, select the attached E01 image with a green dot and 
open the context menu, then click Extract Raw Image. The raw disk image will be extracted to 
the selected location. 


DO EWMounter 
Mount Unmount eT 
KreeseUSSFDesktop.E01 Image file: Macintosh HD:Users:drew:Documents:TEST 
SEEE A NS DATA:KreeseUSSFDesktop:KreeseUSSFDesktop.E01 
Open Raw Image Location... dev/disk2 
Bxtrcet Rawimage. 1,964,302,336 (76.34 GBs) -- Block Size: 512 
= T 
Volum: 


Syst 


Untitlec 


MD5: 4583ed18d8652d5e140a146f53a2c5fc 
SHA1: 3a767ec887bcaa361b91e1861b5636ea958702ef 


Export Running... 


C E01 D 
i Do you wish to stop the current export process? 


MD5: a49d1254c873808c58e6f1bcd60b5bde (Verified) 
SHA‘: afe5c9ab487bd47a8a9856b137 1¢2384d44fd785 (Verified) 


Extracting... ee 
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Appendix 3 - Inspector License Server Configuration 


The Inspector License Server allows labs with multiple forensic analysis computers to authorize 
Inspector over a Local Area Network (LAN). Multiple Inspector dongles (one for each analysis 
computer] are not needed with the Inspector License Server in place. 


Follow the instructions included in the software activation email to register and license the 
Inspector License Server dongle. Connect the Inspector License Server dongle to the designated 
computer and install the Inspector License Server application. 


Click the Inspector License Server icon to launch the Inspector License Server. 


The Inspector License Server shows all current product licenses contained on the License 
Server dongle. The IP address and default License Server port, 6672, appears at the bottom of 


the window. 
eoe Cellebrite Inspector License Server 
Product Total Used Available 
BlackLight 1 0 1 
Inspector 5 0 5 


Address: 192.168.1.148:6672 


To change the default License Server port, create a text file named Inspector License Server 
Settings.txt and save it in the same folder as the Inspector License Server application. In that text 
file, type Port = NNNN, where NNNN is the appropriate port number. 


To configure an Inspector forensic analysis client computer, connect the computer to the same 
network segment as the computer running the Inspector License Server. Create a text file to tell 
Inspector to look for the License Server if a local USB dongle is not present. 


1. Create the following file in the current examiner's home directory: 


e macOS: ~/Library/Application Support/Cellebrite/Inspector/Network Dongle.txt 
e Windows 10: ~\AppData\Roaming\Cellebrite\Inspector\Network Dongle.txt 


2. Adda line with the server IP address and port (located at the bottom of the License Server 
window) in this format: Server = 172.17.2.20:6672 


This tells Inspector that if an Inspector dongle is not connected to the computer to look for the 
License Server at 172.17.2.20 over port 6672. 
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When a networked forensic analysis client authorizes Inspector via the License Server, the 
License Server subtracts one license from the total number of available licenses on the License 
Server dongle. 


When all available Inspector License Server licenses are in use, additional instances of Inspector 
fail to initialize. Additional licenses must be purchased and installed on the License Server 
dongle, or an examiner must release the license on a currently authorized client computer by 
exiting Inspector or by shutting down the currently authorized computer. 


Once a license becomes available, either through purchase or when a client computer releases 
an authorization, another forensic analysis computer can run Inspector. 
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